Edit tour

Windows Analysis Report
AyBhhRZXPj

Overview

General Information

Sample Name:	AyBhhRZXPj (renamed file extension from none to dll)
Analysis ID:	595303
MD5:	518cc4a9888e76bc1a916fd67a08a075
SHA1:	148d6f12f12a0cae195f36f4319839f6687b7144
SHA256:	57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
Tags:	Dridexexe
Infos:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Call by Ordinal

Machine Learning detection for dropped file

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Installs a raw input device (often for capturing keystrokes)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6608 cmdline: loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 6620 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6640 cmdline: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6632 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

Magnify.exe (PID: 5372 cmdline: C:\Windows\system32\Magnify.exe MD5: F97BE20B374457236666607EE4BA7F7F)

FileHistory.exe (PID: 5788 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)

FileHistory.exe (PID: 7004 cmdline: C:\Users\user\AppData\Local\u70W8\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)

RdpSa.exe (PID: 7028 cmdline: C:\Windows\system32\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)

mspaint.exe (PID: 7064 cmdline: C:\Windows\system32\mspaint.exe MD5: 99F86A0D360FD9A3FCAD6B1E7D92A90C)

mspaint.exe (PID: 4576 cmdline: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe MD5: 99F86A0D360FD9A3FCAD6B1E7D92A90C)

mmc.exe (PID: 6244 cmdline: C:\Windows\system32\mmc.exe MD5: BA80301974CC8C4FB9F3F9DDB5905C30)

EaseOfAccessDialog.exe (PID: 6176 cmdline: C:\Windows\system32\EaseOfAccessDialog.exe MD5: F87F2E5EBF3FFBA39DF1621B5F8689B5)

unregmp2.exe (PID: 4948 cmdline: C:\Windows\system32\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)

unregmp2.exe (PID: 4908 cmdline: C:\Users\user\AppData\Local\vVin\unregmp2.exe MD5: 9B517303C58CA8A450B97B0D71594CBB)

omadmclient.exe (PID: 6340 cmdline: C:\Windows\system32\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)

omadmclient.exe (PID: 6392 cmdline: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)

SystemPropertiesPerformance.exe (PID: 4040 cmdline: C:\Windows\system32\SystemPropertiesPerformance.exe MD5: F325976CDC0F7E9C680B51B35D24D23A)

eudcedit.exe (PID: 6164 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)

GamePanel.exe (PID: 5244 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)

GamePanel.exe (PID: 5832 cmdline: C:\Users\user\AppData\Local\Odp\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)

rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6868 cmdline: rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
35.2.unregmp2.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
21.2.FileHistory.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
37.2.omadmclient.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
5.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
41.2.GamePanel.exe.7ffc678e0000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
25.2.mspaint.exe.7ffc74c10000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll64.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6620, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1, ProcessId: 6640

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AyBhhRZXPj.dll	Virustotal: Detection: 70%	Perma Link
Source: AyBhhRZXPj.dll	Metadefender: Detection: 62%	Perma Link
Source: AyBhhRZXPj.dll	ReversingLabs: Detection: 88%

Antivirus / Scanner detection for submitted sample

Source: AyBhhRZXPj.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Odp\dwmapi.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: AyBhhRZXPj.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Odp\dwmapi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\u70W8\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5C7B8 CryptDecryptMessage,GetLastError,LocalAlloc,CryptDecryptMessage,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA43EE8 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,LocalFree,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA44540 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64,CryptHashData,CryptHashData,CryptHashData,CryptGetHashParam,GetLastError,EncodeBase64W,??_V@YAXPEAX@Z,CryptDestroyHash,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5C5A8 memset,CryptEncryptMessage,GetLastError,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA44528 CryptDestroyHash,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA4450C CryptReleaseContext,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5C3D8 CryptVerifyMessageSignature,GetLastError,LocalAlloc,CryptVerifyMessageSignature,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA55260 CryptAcquireContextW,GetLastError,CryptReleaseContext,SetLastError,CryptAcquireContextW,GetLastError,LocalAlloc,CryptGenRandom,GetLastError,LocalFree,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5C1CC memset,CryptSignMessage,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,LocalFree,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5BA30 CryptHashCertificate,GetLastError,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA449A8 UnicodeToMB,CryptHashData,GetLastError,??_V@YAXPEAX@Z,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA68598 CryptAcquireContextW,CryptCreateHash,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA68610 CryptGetHashParam,memset,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA68534 CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6874C CryptHashData,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA688F8 CryptHashData,

Source: AyBhhRZXPj.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711ED10 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C6ED10 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,

Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
Source: GamePanel.exe	String found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/ifg0es
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/imfx4k
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/imrx2o
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/v5do45
Source: GamePanel.exe	String found in binary or memory: https://aka.ms/w5ryqn
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://aka.ms/wk9ocd
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/%ws
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
Source: GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://mixer.com/api/v1/broadcasts/current
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/channels/%d
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/channels/%ws
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/chats/%.0f
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
Source: GamePanel.exe	String found in binary or memory: https://mixer.com/api/v1/users/current
Source: GamePanel.exe	String found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
Source: GamePanel.exe	String found in binary or memory: https://www.xboxlive.com
Source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe

Code function: 41_2_00007FF76CAA45E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task,

E-Banking Fraud

Yara detected Dridex unpacked file

Source: Yara match	File source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.unregmp2.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.FileHistory.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.omadmclient.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.GamePanel.exe.7ffc678e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.mspaint.exe.7ffc74c10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC671097D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F5020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712D520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710A2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F59F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FAA70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710CA50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E7880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67113150
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713B7A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C6790
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712C780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713EF80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EE7B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DA7D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67134FF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8FC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E6FE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C1010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E4800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EC030
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E5050
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710F870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67115840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FF870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C6E90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712A6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C7E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EF6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F06A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67120F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E872B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67125760
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E2F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713BF6F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67120770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DE770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CC5A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D95C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F25C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D65E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F2E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CDE20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C1620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67110650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E49D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67122CA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4A6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4AD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4B6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EAC80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E48B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712A490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E494
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D3CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F5CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F3CF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0D10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F1D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670ED550
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D9D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67124390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67114BC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D23F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D7410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E400
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67129410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D5420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C5C20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC671282A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712AAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EDAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67122AE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E92C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711F2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E82E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FBAE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EA310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F1B30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CBB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C5350
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C7DDC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C55020
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C6CA50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C6A2C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4D550
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C43D50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C39D70
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C50D10
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C51D30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C33CD0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C53CF0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4AC80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C82CA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C70650
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C87650
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C38670
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C52E10
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C43610
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C21620
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C2DE20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C525C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C395C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C365E0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C2C5A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C42F50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C80770
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C3E770
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C85760
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C80F30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4872B
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C87EC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C26E90
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C27E80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4F6B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C506A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C45050
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C75840
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C21010
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C44800
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4C030
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C50020
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C697D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C3A7D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C38FC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C94FF0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C46FE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C26790
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C9EF80
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4E7B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C9B7A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C73150
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C86950
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C44140
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C8B960
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C3E110
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C43910
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C2B100
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C56130
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C218D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C3D890
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C47880
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C308B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C5B250
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C27A40
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C8B260
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C521D0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C469C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C559F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4F1F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C591F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C589F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C59990
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C22980
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C3E9B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C411B0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4E9A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C85B50
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C25350
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C43340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C38340
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C54360
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4A310
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C50300
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C51B30
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C2BB20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C492C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C7F2C0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C482E0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C5BAE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C82AE0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C4DAA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C882A0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C8AAA0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C37410
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C89410
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C8E400
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C25C20
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C35420
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C74BC0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C323F0
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C84390
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7D520
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C45CD0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C77650
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C6DDC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C45020
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C597D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C63150
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C37880
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C5CA50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4AA70
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C459F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C5A2C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4BAE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C33D50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3D550
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C29D70
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C40D10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C41D30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C23CD0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C43CF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7A490
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E494
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3AC80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E48B
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E4AD
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E4B6
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C72CA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E49D
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E4A6
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C60650
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C28670
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C33610
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C42E10
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C11620
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C1DE20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C295C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C425C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C265E0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C1C5A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C32F50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C70770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C2E770
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C8BF6F
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C75760
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C70F30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3872B
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C77EC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C16E90
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C17E80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7A6B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3F6B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C406A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C35050
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C65840
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4F870
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C11010
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C34800
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3C030
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C40020
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C2A7D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C28FC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C84FF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C36FE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C16790
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7C780
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C8EF80
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3E7B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C8B7A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C76950
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C34140
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7B960
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C2E110
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C33910
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C1B100
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C46130
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C118D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C2D890
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C208B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4B250
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C17A40
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7B260
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C421D0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C369C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C491F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C489F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3F1F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C49990
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C12980
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C2E9B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C311B0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3E9A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C75B50
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C15350
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C33340
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C28340
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C44360
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3A310
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C40300
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C41B30
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C1BB20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C6F2C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C392C0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C77AF0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C72AE0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C382E0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C782A0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7AAA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C3DAA0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C79410
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C27410
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7E400
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C15C20
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C25420
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C64BC0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C223F0
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C74390
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672550898
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254E998
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254EF84
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672546088
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672543A5C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672544B5C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672544260
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254CF64
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672555644
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672546744
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254E04C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672545B4C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672559354
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672557550
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67255151C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672558E1C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254BE24
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254AD20
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254292C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254E330
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254DAFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254C1FC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672548BFC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672545300
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672544F08
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67255780C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672554D0C
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254FC14
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672541B14
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67254C710
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725533DC
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725413E4
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725472E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725529E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725586E8
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725479C4
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672550AC0
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672547ED0
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725510D4
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA580D0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA3F930
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5B130
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA43060
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA59090
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA52810
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA4FF80
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA43EE8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA4E638
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA3753C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA44540
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA33D94
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5D4D0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA3DC4C
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA49CA0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5A420
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA343AC
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA4EBA8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA45330
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA3D2F8
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA56260
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA58AA0
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA51950
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA5F994
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA84DD0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA8ED90
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA58F14
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA9EE40
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA9D010
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6AFF0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA9A998
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA689F4
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA56948
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6CCFC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA3ED00
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA24CDC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA90C44
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6A5D0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAA45E0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA5253C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA3E560
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA70644
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA60620
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA0E7FC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA19AF0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA0A7EC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAB47E5
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAA0728
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA648C0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA821AC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA421AC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA84198
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA8C2D8
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA4A250
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA2E224
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA343B8
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA03D38
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA75F08
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6BE58
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAABFEC
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA9BF88
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA0A058
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA77A00
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA0B928
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA8F920
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA71AD4
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA97A20
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAADB6C
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA8BD14
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA3DC44
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAAFC59
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA6D6B0
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAAD7A2
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA9D788

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: String function: 00007FF76CA032F8 appears 319 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: String function: 00007FF76CA04D68 appears 156 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: String function: 00007FF76CA06894 appears 44 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: String function: 00007FF76CA162E4 appears 55 times
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: String function: 00007FF76CAA6AD8 appears 183 times
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: String function: 00007FF67254114C appears 40 times
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: String function: 00007FF6725412F0 appears 44 times
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: String function: 00007FF6BFA32AE8 appears 152 times

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67107770 NtClose,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712D520 NtQuerySystemInformation,RtlAllocateHeap,
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FFC74C67770 NtClose,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C7D520 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C45CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C35F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C57770 NtClose,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C4BAE0 NtReadVirtualMemory,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA63030 memset,AlpcInitializeMessageAttribute,AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcSendWaitReceivePort,AlpcGetMessageAttribute,ZwAlpcCancelMessage,ReleaseSRWLockShared,RtlWakeAddressAll,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA62F2C AcquireSRWLockShared,ReleaseSRWLockShared,ZwAlpcDisconnectPort,ZwAlpcQueryInformation,ReleaseSRWLockShared,RtlWaitOnAddress,AcquireSRWLockExclusive,GetCurrentThreadId,ReleaseSRWLockExclusive,CloseHandle,TpWaitForAlpcCompletion,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA643C0 memset,GetCurrentProcess,QueryFullProcessImageNameW,NtPowerInformation,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA62C30 HeapAlloc,memset,InitializeSRWLock,RtlInitUnicodeString,memset,memset,ZwAlpcConnectPort,CreateThreadpool,TpAllocAlpcCompletion,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA63284 AcquireSRWLockExclusive,GetCurrentThreadId,ZwClose,ReleaseSRWLockExclusive,ZwAlpcCancelMessage,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA631E0 AcquireSRWLockShared,memset,ZwAlpcSendWaitReceivePort,ReleaseSRWLockShared,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAAA9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CA76C44 RtlInitUnicodeString,NtQueryLicenseValue,

Source: GamePanel.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GamePanel.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationHost.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wlrmdr.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel34.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Section loaded: kernel34.dll

Source: dwmapi.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: AyBhhRZXPj.dll	Static PE information: Number of sections : 57 > 10
Source: WTSAPI32.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: VERSION.dll0.4.dr	Static PE information: Number of sections : 58 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: VERSION.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 58 > 10
Source: MFC42u.dll.4.dr	Static PE information: Number of sections : 58 > 10

Source: AyBhhRZXPj.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: AyBhhRZXPj.dll	Virustotal: Detection: 70%
Source: AyBhhRZXPj.dll	Metadefender: Detection: 62%
Source: AyBhhRZXPj.dll	ReversingLabs: Detection: 88%

Source: AyBhhRZXPj.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Magnify.exe C:\Windows\system32\Magnify.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe C:\Users\user\AppData\Local\u70W8\FileHistory.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mspaint.exe C:\Windows\system32\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\unregmp2.exe C:\Windows\system32\unregmp2.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\vVin\unregmp2.exe C:\Users\user\AppData\Local\vVin\unregmp2.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Odp\GamePanel.exe C:\Users\user\AppData\Local\Odp\GamePanel.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@49/18@0/0

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF672545AA0 SHCreateItemFromParsingName,SetFileAttributesW,DeleteFileW,CoCreateInstance,

Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

Code function: 37_2_00007FF6BFA580D0 CreateStreamOnHGlobal,CreateXmlWriterOutputWithEncodingName,memset,memset,GetLastError,LocalFree,SetLastError,LocalFree,memset,FormatMessageW,GetLastError,GetProcessHeap,HeapAlloc,BigStrcat,GetLastError,LocalFree,SetLastError,??3@YAXPEAX@Z,LocalFree,LocalFree,LocalFree,??3@YAXPEAX@Z,LocalFree,LocalFree,

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF672543720 RegDeleteKeyW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetFileAttributesW,ShellExecuteW,OpenSCManagerW,OpenServiceW,QueryServiceConfigW,ChangeServiceConfigW,QueryServiceStatus,ControlService,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe

Code function: 25_2_00007FFC74C4CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7f288414-5cf0-ae42-7066-c8e415a6409f}
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Mutant created: \Sessions\1\BaseNamedObjects\{ca68fc37-cbed-19a4-8710-155280dc7f30}

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF672543A5C CoInitialize,SHGetFolderPathW,LoadStringW,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetFileAttributesW,CreateDirectoryW,GetLastError,GetLastError,GetLastError,CoUninitialize,GetUserDefaultLCID,LCIDToLocaleName,PathAddBackslashW,CreateDirectoryW,GetTickCount,CreateDirectoryW,GetLastError,GetLastError,FindResourceW,LoadResource,CreateFileW,SizeofResource,WriteFile,CloseHandle,RegCreateKeyExW,RegSetValueExW,GetLastError,RegCloseKey,

Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync FINALIZING
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync SUCCEEDED
Source: GamePanel.exe	String found in binary or memory: Start/StopRecordAsync SUCCEEDED

Source: AyBhhRZXPj.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: AyBhhRZXPj.dll

Static file information: File size 1351680 > 1048576

Source: AyBhhRZXPj.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: mspaint.pdb source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mspaint.pdbGCTL source: mspaint.exe, 00000019.00000000.419578288.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp, mspaint.exe, 00000019.00000002.455682881.00007FF6EFB78000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: unregmp2.pdb source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: unregmp2.pdbGCTL source: unregmp2.exe, 00000023.00000002.497335098.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp, unregmp2.exe, 00000023.00000000.466778419.00007FF67255B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: GamePanel.pdb source: GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: omadmclient.pdb source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: omadmclient.pdbGCTL source: omadmclient.exe, 00000025.00000000.504473008.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp, omadmclient.exe, 00000025.00000002.528042949.00007FF6BFA68000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: FileHistory.pdb source: FileHistory.exe, 00000015.00000000.378208348.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp, FileHistory.exe, 00000015.00000002.383485917.00007FF6811E9000.00000002.00000001.01000000.00000009.sdmp

Source: AyBhhRZXPj.dll	Static PE information: section name: .vxl
Source: AyBhhRZXPj.dll	Static PE information: section name: .qwubgr
Source: AyBhhRZXPj.dll	Static PE information: section name: .eer
Source: AyBhhRZXPj.dll	Static PE information: section name: .xwwauf
Source: AyBhhRZXPj.dll	Static PE information: section name: .pkc
Source: AyBhhRZXPj.dll	Static PE information: section name: .npkda
Source: AyBhhRZXPj.dll	Static PE information: section name: .vhs
Source: AyBhhRZXPj.dll	Static PE information: section name: .iaywj
Source: AyBhhRZXPj.dll	Static PE information: section name: .nasi
Source: AyBhhRZXPj.dll	Static PE information: section name: .zhvprh
Source: AyBhhRZXPj.dll	Static PE information: section name: .yatdsp
Source: AyBhhRZXPj.dll	Static PE information: section name: .njso
Source: AyBhhRZXPj.dll	Static PE information: section name: .lgliat
Source: AyBhhRZXPj.dll	Static PE information: section name: .ntqjh
Source: AyBhhRZXPj.dll	Static PE information: section name: .sucsek
Source: AyBhhRZXPj.dll	Static PE information: section name: .qsxjui
Source: AyBhhRZXPj.dll	Static PE information: section name: .twctcm
Source: AyBhhRZXPj.dll	Static PE information: section name: .nms
Source: AyBhhRZXPj.dll	Static PE information: section name: .ogj
Source: AyBhhRZXPj.dll	Static PE information: section name: .vrkgb
Source: AyBhhRZXPj.dll	Static PE information: section name: .gikfw
Source: AyBhhRZXPj.dll	Static PE information: section name: .ktl
Source: AyBhhRZXPj.dll	Static PE information: section name: .crcn
Source: AyBhhRZXPj.dll	Static PE information: section name: .wtfr
Source: AyBhhRZXPj.dll	Static PE information: section name: .hep
Source: AyBhhRZXPj.dll	Static PE information: section name: .ywg
Source: AyBhhRZXPj.dll	Static PE information: section name: .sqsp
Source: AyBhhRZXPj.dll	Static PE information: section name: .gzb
Source: AyBhhRZXPj.dll	Static PE information: section name: .fatlss
Source: AyBhhRZXPj.dll	Static PE information: section name: .plqa
Source: AyBhhRZXPj.dll	Static PE information: section name: .vzt
Source: AyBhhRZXPj.dll	Static PE information: section name: .dsbyd
Source: AyBhhRZXPj.dll	Static PE information: section name: .cdelc
Source: AyBhhRZXPj.dll	Static PE information: section name: .qkhkj
Source: AyBhhRZXPj.dll	Static PE information: section name: .mnzegr
Source: AyBhhRZXPj.dll	Static PE information: section name: .krw
Source: AyBhhRZXPj.dll	Static PE information: section name: .jvsmn
Source: AyBhhRZXPj.dll	Static PE information: section name: .bygpq
Source: AyBhhRZXPj.dll	Static PE information: section name: .kzdbu
Source: AyBhhRZXPj.dll	Static PE information: section name: .mwxorn
Source: AyBhhRZXPj.dll	Static PE information: section name: .raf
Source: AyBhhRZXPj.dll	Static PE information: section name: .zcyw
Source: AyBhhRZXPj.dll	Static PE information: section name: .zeczh
Source: AyBhhRZXPj.dll	Static PE information: section name: .pvv
Source: AyBhhRZXPj.dll	Static PE information: section name: .lug
Source: AyBhhRZXPj.dll	Static PE information: section name: .ski
Source: AyBhhRZXPj.dll	Static PE information: section name: .japjd
Source: AyBhhRZXPj.dll	Static PE information: section name: .mwtzml
Source: AyBhhRZXPj.dll	Static PE information: section name: .vgssf
Source: AyBhhRZXPj.dll	Static PE information: section name: .qqb
Source: AyBhhRZXPj.dll	Static PE information: section name: .vje
Source: omadmclient.exe.4.dr	Static PE information: section name: .didat
Source: GamePanel.exe.4.dr	Static PE information: section name: .imrsiv
Source: GamePanel.exe.4.dr	Static PE information: section name: .didat
Source: FileHistory.exe.4.dr	Static PE information: section name: .nep
Source: wlrmdr.exe.4.dr	Static PE information: section name: .imrsiv
Source: dwmapi.dll.4.dr	Static PE information: section name: .vxl
Source: dwmapi.dll.4.dr	Static PE information: section name: .qwubgr
Source: dwmapi.dll.4.dr	Static PE information: section name: .eer
Source: dwmapi.dll.4.dr	Static PE information: section name: .xwwauf
Source: dwmapi.dll.4.dr	Static PE information: section name: .pkc
Source: dwmapi.dll.4.dr	Static PE information: section name: .npkda
Source: dwmapi.dll.4.dr	Static PE information: section name: .vhs
Source: dwmapi.dll.4.dr	Static PE information: section name: .iaywj
Source: dwmapi.dll.4.dr	Static PE information: section name: .nasi
Source: dwmapi.dll.4.dr	Static PE information: section name: .zhvprh
Source: dwmapi.dll.4.dr	Static PE information: section name: .yatdsp
Source: dwmapi.dll.4.dr	Static PE information: section name: .njso
Source: dwmapi.dll.4.dr	Static PE information: section name: .lgliat
Source: dwmapi.dll.4.dr	Static PE information: section name: .ntqjh
Source: dwmapi.dll.4.dr	Static PE information: section name: .sucsek
Source: dwmapi.dll.4.dr	Static PE information: section name: .qsxjui
Source: dwmapi.dll.4.dr	Static PE information: section name: .twctcm
Source: dwmapi.dll.4.dr	Static PE information: section name: .nms
Source: dwmapi.dll.4.dr	Static PE information: section name: .ogj
Source: dwmapi.dll.4.dr	Static PE information: section name: .vrkgb
Source: dwmapi.dll.4.dr	Static PE information: section name: .gikfw
Source: dwmapi.dll.4.dr	Static PE information: section name: .ktl
Source: dwmapi.dll.4.dr	Static PE information: section name: .crcn
Source: dwmapi.dll.4.dr	Static PE information: section name: .wtfr
Source: dwmapi.dll.4.dr	Static PE information: section name: .hep
Source: dwmapi.dll.4.dr	Static PE information: section name: .ywg
Source: dwmapi.dll.4.dr	Static PE information: section name: .sqsp
Source: dwmapi.dll.4.dr	Static PE information: section name: .gzb
Source: dwmapi.dll.4.dr	Static PE information: section name: .fatlss
Source: dwmapi.dll.4.dr	Static PE information: section name: .plqa
Source: dwmapi.dll.4.dr	Static PE information: section name: .vzt
Source: dwmapi.dll.4.dr	Static PE information: section name: .dsbyd
Source: dwmapi.dll.4.dr	Static PE information: section name: .cdelc
Source: dwmapi.dll.4.dr	Static PE information: section name: .qkhkj
Source: dwmapi.dll.4.dr	Static PE information: section name: .mnzegr
Source: dwmapi.dll.4.dr	Static PE information: section name: .krw
Source: dwmapi.dll.4.dr	Static PE information: section name: .jvsmn
Source: dwmapi.dll.4.dr	Static PE information: section name: .bygpq
Source: dwmapi.dll.4.dr	Static PE information: section name: .kzdbu
Source: dwmapi.dll.4.dr	Static PE information: section name: .mwxorn
Source: dwmapi.dll.4.dr	Static PE information: section name: .raf
Source: dwmapi.dll.4.dr	Static PE information: section name: .zcyw
Source: dwmapi.dll.4.dr	Static PE information: section name: .zeczh
Source: dwmapi.dll.4.dr	Static PE information: section name: .pvv
Source: dwmapi.dll.4.dr	Static PE information: section name: .lug
Source: dwmapi.dll.4.dr	Static PE information: section name: .ski
Source: dwmapi.dll.4.dr	Static PE information: section name: .japjd
Source: dwmapi.dll.4.dr	Static PE information: section name: .mwtzml
Source: dwmapi.dll.4.dr	Static PE information: section name: .vgssf
Source: dwmapi.dll.4.dr	Static PE information: section name: .qqb
Source: dwmapi.dll.4.dr	Static PE information: section name: .vje
Source: dwmapi.dll.4.dr	Static PE information: section name: .ksr
Source: VERSION.dll.4.dr	Static PE information: section name: .vxl
Source: VERSION.dll.4.dr	Static PE information: section name: .qwubgr
Source: VERSION.dll.4.dr	Static PE information: section name: .eer
Source: VERSION.dll.4.dr	Static PE information: section name: .xwwauf
Source: VERSION.dll.4.dr	Static PE information: section name: .pkc
Source: VERSION.dll.4.dr	Static PE information: section name: .npkda
Source: VERSION.dll.4.dr	Static PE information: section name: .vhs
Source: VERSION.dll.4.dr	Static PE information: section name: .iaywj
Source: VERSION.dll.4.dr	Static PE information: section name: .nasi
Source: VERSION.dll.4.dr	Static PE information: section name: .zhvprh
Source: VERSION.dll.4.dr	Static PE information: section name: .yatdsp
Source: VERSION.dll.4.dr	Static PE information: section name: .njso
Source: VERSION.dll.4.dr	Static PE information: section name: .lgliat
Source: VERSION.dll.4.dr	Static PE information: section name: .ntqjh
Source: VERSION.dll.4.dr	Static PE information: section name: .sucsek
Source: VERSION.dll.4.dr	Static PE information: section name: .qsxjui
Source: VERSION.dll.4.dr	Static PE information: section name: .twctcm
Source: VERSION.dll.4.dr	Static PE information: section name: .nms
Source: VERSION.dll.4.dr	Static PE information: section name: .ogj
Source: VERSION.dll.4.dr	Static PE information: section name: .vrkgb
Source: VERSION.dll.4.dr	Static PE information: section name: .gikfw
Source: VERSION.dll.4.dr	Static PE information: section name: .ktl
Source: VERSION.dll.4.dr	Static PE information: section name: .crcn
Source: VERSION.dll.4.dr	Static PE information: section name: .wtfr
Source: VERSION.dll.4.dr	Static PE information: section name: .hep
Source: VERSION.dll.4.dr	Static PE information: section name: .ywg
Source: VERSION.dll.4.dr	Static PE information: section name: .sqsp
Source: VERSION.dll.4.dr	Static PE information: section name: .gzb
Source: VERSION.dll.4.dr	Static PE information: section name: .fatlss
Source: VERSION.dll.4.dr	Static PE information: section name: .plqa
Source: VERSION.dll.4.dr	Static PE information: section name: .vzt
Source: VERSION.dll.4.dr	Static PE information: section name: .dsbyd
Source: VERSION.dll.4.dr	Static PE information: section name: .cdelc
Source: VERSION.dll.4.dr	Static PE information: section name: .qkhkj
Source: VERSION.dll.4.dr	Static PE information: section name: .mnzegr
Source: VERSION.dll.4.dr	Static PE information: section name: .krw
Source: VERSION.dll.4.dr	Static PE information: section name: .jvsmn
Source: VERSION.dll.4.dr	Static PE information: section name: .bygpq
Source: VERSION.dll.4.dr	Static PE information: section name: .kzdbu
Source: VERSION.dll.4.dr	Static PE information: section name: .mwxorn
Source: VERSION.dll.4.dr	Static PE information: section name: .raf
Source: VERSION.dll.4.dr	Static PE information: section name: .zcyw
Source: VERSION.dll.4.dr	Static PE information: section name: .zeczh
Source: VERSION.dll.4.dr	Static PE information: section name: .pvv
Source: VERSION.dll.4.dr	Static PE information: section name: .lug
Source: VERSION.dll.4.dr	Static PE information: section name: .ski
Source: VERSION.dll.4.dr	Static PE information: section name: .japjd
Source: VERSION.dll.4.dr	Static PE information: section name: .mwtzml
Source: VERSION.dll.4.dr	Static PE information: section name: .vgssf
Source: VERSION.dll.4.dr	Static PE information: section name: .qqb
Source: VERSION.dll.4.dr	Static PE information: section name: .vje
Source: VERSION.dll.4.dr	Static PE information: section name: .iol
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vxl
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qwubgr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .eer
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .xwwauf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pkc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .npkda
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vhs
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .iaywj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nasi
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zhvprh
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .yatdsp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .njso
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lgliat
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ntqjh
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sucsek
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qsxjui
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .twctcm
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .nms
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ogj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vrkgb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .gikfw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ktl
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .crcn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .wtfr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .hep
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ywg
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .sqsp
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .gzb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .fatlss
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .plqa
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vzt
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .dsbyd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .cdelc
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qkhkj
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mnzegr
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .krw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .jvsmn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .bygpq
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .kzdbu
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mwxorn
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .raf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zcyw
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .zeczh
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .pvv
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .lug
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .ski
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .japjd
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .mwtzml
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vgssf
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .qqb
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .vje
Source: WTSAPI32.dll.4.dr	Static PE information: section name: .gec
Source: DUI70.dll.4.dr	Static PE information: section name: .vxl
Source: DUI70.dll.4.dr	Static PE information: section name: .qwubgr
Source: DUI70.dll.4.dr	Static PE information: section name: .eer
Source: DUI70.dll.4.dr	Static PE information: section name: .xwwauf
Source: DUI70.dll.4.dr	Static PE information: section name: .pkc
Source: DUI70.dll.4.dr	Static PE information: section name: .npkda
Source: DUI70.dll.4.dr	Static PE information: section name: .vhs
Source: DUI70.dll.4.dr	Static PE information: section name: .iaywj
Source: DUI70.dll.4.dr	Static PE information: section name: .nasi
Source: DUI70.dll.4.dr	Static PE information: section name: .zhvprh
Source: DUI70.dll.4.dr	Static PE information: section name: .yatdsp
Source: DUI70.dll.4.dr	Static PE information: section name: .njso
Source: DUI70.dll.4.dr	Static PE information: section name: .lgliat
Source: DUI70.dll.4.dr	Static PE information: section name: .ntqjh
Source: DUI70.dll.4.dr	Static PE information: section name: .sucsek
Source: DUI70.dll.4.dr	Static PE information: section name: .qsxjui
Source: DUI70.dll.4.dr	Static PE information: section name: .twctcm
Source: DUI70.dll.4.dr	Static PE information: section name: .nms
Source: DUI70.dll.4.dr	Static PE information: section name: .ogj
Source: DUI70.dll.4.dr	Static PE information: section name: .vrkgb
Source: DUI70.dll.4.dr	Static PE information: section name: .gikfw
Source: DUI70.dll.4.dr	Static PE information: section name: .ktl
Source: DUI70.dll.4.dr	Static PE information: section name: .crcn
Source: DUI70.dll.4.dr	Static PE information: section name: .wtfr
Source: DUI70.dll.4.dr	Static PE information: section name: .hep
Source: DUI70.dll.4.dr	Static PE information: section name: .ywg
Source: DUI70.dll.4.dr	Static PE information: section name: .sqsp
Source: DUI70.dll.4.dr	Static PE information: section name: .gzb
Source: DUI70.dll.4.dr	Static PE information: section name: .fatlss
Source: DUI70.dll.4.dr	Static PE information: section name: .plqa
Source: DUI70.dll.4.dr	Static PE information: section name: .vzt
Source: DUI70.dll.4.dr	Static PE information: section name: .dsbyd
Source: DUI70.dll.4.dr	Static PE information: section name: .cdelc
Source: DUI70.dll.4.dr	Static PE information: section name: .qkhkj
Source: DUI70.dll.4.dr	Static PE information: section name: .mnzegr
Source: DUI70.dll.4.dr	Static PE information: section name: .krw
Source: DUI70.dll.4.dr	Static PE information: section name: .jvsmn
Source: DUI70.dll.4.dr	Static PE information: section name: .bygpq
Source: DUI70.dll.4.dr	Static PE information: section name: .kzdbu
Source: DUI70.dll.4.dr	Static PE information: section name: .mwxorn
Source: DUI70.dll.4.dr	Static PE information: section name: .raf
Source: DUI70.dll.4.dr	Static PE information: section name: .zcyw
Source: DUI70.dll.4.dr	Static PE information: section name: .zeczh
Source: DUI70.dll.4.dr	Static PE information: section name: .pvv
Source: DUI70.dll.4.dr	Static PE information: section name: .lug
Source: DUI70.dll.4.dr	Static PE information: section name: .ski
Source: DUI70.dll.4.dr	Static PE information: section name: .japjd
Source: DUI70.dll.4.dr	Static PE information: section name: .mwtzml
Source: DUI70.dll.4.dr	Static PE information: section name: .vgssf
Source: DUI70.dll.4.dr	Static PE information: section name: .qqb
Source: DUI70.dll.4.dr	Static PE information: section name: .vje
Source: DUI70.dll.4.dr	Static PE information: section name: .bue
Source: UxTheme.dll.4.dr	Static PE information: section name: .vxl
Source: UxTheme.dll.4.dr	Static PE information: section name: .qwubgr
Source: UxTheme.dll.4.dr	Static PE information: section name: .eer
Source: UxTheme.dll.4.dr	Static PE information: section name: .xwwauf
Source: UxTheme.dll.4.dr	Static PE information: section name: .pkc
Source: UxTheme.dll.4.dr	Static PE information: section name: .npkda
Source: UxTheme.dll.4.dr	Static PE information: section name: .vhs
Source: UxTheme.dll.4.dr	Static PE information: section name: .iaywj
Source: UxTheme.dll.4.dr	Static PE information: section name: .nasi
Source: UxTheme.dll.4.dr	Static PE information: section name: .zhvprh
Source: UxTheme.dll.4.dr	Static PE information: section name: .yatdsp
Source: UxTheme.dll.4.dr	Static PE information: section name: .njso
Source: UxTheme.dll.4.dr	Static PE information: section name: .lgliat
Source: UxTheme.dll.4.dr	Static PE information: section name: .ntqjh
Source: UxTheme.dll.4.dr	Static PE information: section name: .sucsek
Source: UxTheme.dll.4.dr	Static PE information: section name: .qsxjui
Source: UxTheme.dll.4.dr	Static PE information: section name: .twctcm
Source: UxTheme.dll.4.dr	Static PE information: section name: .nms
Source: UxTheme.dll.4.dr	Static PE information: section name: .ogj
Source: UxTheme.dll.4.dr	Static PE information: section name: .vrkgb
Source: UxTheme.dll.4.dr	Static PE information: section name: .gikfw
Source: UxTheme.dll.4.dr	Static PE information: section name: .ktl
Source: UxTheme.dll.4.dr	Static PE information: section name: .crcn
Source: UxTheme.dll.4.dr	Static PE information: section name: .wtfr
Source: UxTheme.dll.4.dr	Static PE information: section name: .hep
Source: UxTheme.dll.4.dr	Static PE information: section name: .ywg
Source: UxTheme.dll.4.dr	Static PE information: section name: .sqsp
Source: UxTheme.dll.4.dr	Static PE information: section name: .gzb
Source: UxTheme.dll.4.dr	Static PE information: section name: .fatlss
Source: UxTheme.dll.4.dr	Static PE information: section name: .plqa
Source: UxTheme.dll.4.dr	Static PE information: section name: .vzt
Source: UxTheme.dll.4.dr	Static PE information: section name: .dsbyd
Source: UxTheme.dll.4.dr	Static PE information: section name: .cdelc
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkhkj
Source: UxTheme.dll.4.dr	Static PE information: section name: .mnzegr
Source: UxTheme.dll.4.dr	Static PE information: section name: .krw
Source: UxTheme.dll.4.dr	Static PE information: section name: .jvsmn
Source: UxTheme.dll.4.dr	Static PE information: section name: .bygpq
Source: UxTheme.dll.4.dr	Static PE information: section name: .kzdbu
Source: UxTheme.dll.4.dr	Static PE information: section name: .mwxorn
Source: UxTheme.dll.4.dr	Static PE information: section name: .raf
Source: UxTheme.dll.4.dr	Static PE information: section name: .zcyw
Source: UxTheme.dll.4.dr	Static PE information: section name: .zeczh
Source: UxTheme.dll.4.dr	Static PE information: section name: .pvv
Source: UxTheme.dll.4.dr	Static PE information: section name: .lug
Source: UxTheme.dll.4.dr	Static PE information: section name: .ski
Source: UxTheme.dll.4.dr	Static PE information: section name: .japjd
Source: UxTheme.dll.4.dr	Static PE information: section name: .mwtzml
Source: UxTheme.dll.4.dr	Static PE information: section name: .vgssf
Source: UxTheme.dll.4.dr	Static PE information: section name: .qqb
Source: UxTheme.dll.4.dr	Static PE information: section name: .vje
Source: UxTheme.dll.4.dr	Static PE information: section name: .npi
Source: MFC42u.dll.4.dr	Static PE information: section name: .vxl
Source: MFC42u.dll.4.dr	Static PE information: section name: .qwubgr
Source: MFC42u.dll.4.dr	Static PE information: section name: .eer
Source: MFC42u.dll.4.dr	Static PE information: section name: .xwwauf
Source: MFC42u.dll.4.dr	Static PE information: section name: .pkc
Source: MFC42u.dll.4.dr	Static PE information: section name: .npkda
Source: MFC42u.dll.4.dr	Static PE information: section name: .vhs
Source: MFC42u.dll.4.dr	Static PE information: section name: .iaywj
Source: MFC42u.dll.4.dr	Static PE information: section name: .nasi
Source: MFC42u.dll.4.dr	Static PE information: section name: .zhvprh
Source: MFC42u.dll.4.dr	Static PE information: section name: .yatdsp
Source: MFC42u.dll.4.dr	Static PE information: section name: .njso
Source: MFC42u.dll.4.dr	Static PE information: section name: .lgliat
Source: MFC42u.dll.4.dr	Static PE information: section name: .ntqjh
Source: MFC42u.dll.4.dr	Static PE information: section name: .sucsek
Source: MFC42u.dll.4.dr	Static PE information: section name: .qsxjui
Source: MFC42u.dll.4.dr	Static PE information: section name: .twctcm
Source: MFC42u.dll.4.dr	Static PE information: section name: .nms
Source: MFC42u.dll.4.dr	Static PE information: section name: .ogj
Source: MFC42u.dll.4.dr	Static PE information: section name: .vrkgb
Source: MFC42u.dll.4.dr	Static PE information: section name: .gikfw
Source: MFC42u.dll.4.dr	Static PE information: section name: .ktl
Source: MFC42u.dll.4.dr	Static PE information: section name: .crcn
Source: MFC42u.dll.4.dr	Static PE information: section name: .wtfr
Source: MFC42u.dll.4.dr	Static PE information: section name: .hep
Source: MFC42u.dll.4.dr	Static PE information: section name: .ywg
Source: MFC42u.dll.4.dr	Static PE information: section name: .sqsp
Source: MFC42u.dll.4.dr	Static PE information: section name: .gzb
Source: MFC42u.dll.4.dr	Static PE information: section name: .fatlss
Source: MFC42u.dll.4.dr	Static PE information: section name: .plqa
Source: MFC42u.dll.4.dr	Static PE information: section name: .vzt
Source: MFC42u.dll.4.dr	Static PE information: section name: .dsbyd
Source: MFC42u.dll.4.dr	Static PE information: section name: .cdelc
Source: MFC42u.dll.4.dr	Static PE information: section name: .qkhkj
Source: MFC42u.dll.4.dr	Static PE information: section name: .mnzegr
Source: MFC42u.dll.4.dr	Static PE information: section name: .krw
Source: MFC42u.dll.4.dr	Static PE information: section name: .jvsmn
Source: MFC42u.dll.4.dr	Static PE information: section name: .bygpq
Source: MFC42u.dll.4.dr	Static PE information: section name: .kzdbu
Source: MFC42u.dll.4.dr	Static PE information: section name: .mwxorn
Source: MFC42u.dll.4.dr	Static PE information: section name: .raf
Source: MFC42u.dll.4.dr	Static PE information: section name: .zcyw
Source: MFC42u.dll.4.dr	Static PE information: section name: .zeczh
Source: MFC42u.dll.4.dr	Static PE information: section name: .pvv
Source: MFC42u.dll.4.dr	Static PE information: section name: .lug
Source: MFC42u.dll.4.dr	Static PE information: section name: .ski
Source: MFC42u.dll.4.dr	Static PE information: section name: .japjd
Source: MFC42u.dll.4.dr	Static PE information: section name: .mwtzml
Source: MFC42u.dll.4.dr	Static PE information: section name: .vgssf
Source: MFC42u.dll.4.dr	Static PE information: section name: .qqb
Source: MFC42u.dll.4.dr	Static PE information: section name: .vje
Source: MFC42u.dll.4.dr	Static PE information: section name: .tfhhe
Source: VERSION.dll0.4.dr	Static PE information: section name: .vxl
Source: VERSION.dll0.4.dr	Static PE information: section name: .qwubgr
Source: VERSION.dll0.4.dr	Static PE information: section name: .eer
Source: VERSION.dll0.4.dr	Static PE information: section name: .xwwauf
Source: VERSION.dll0.4.dr	Static PE information: section name: .pkc
Source: VERSION.dll0.4.dr	Static PE information: section name: .npkda
Source: VERSION.dll0.4.dr	Static PE information: section name: .vhs
Source: VERSION.dll0.4.dr	Static PE information: section name: .iaywj
Source: VERSION.dll0.4.dr	Static PE information: section name: .nasi
Source: VERSION.dll0.4.dr	Static PE information: section name: .zhvprh
Source: VERSION.dll0.4.dr	Static PE information: section name: .yatdsp
Source: VERSION.dll0.4.dr	Static PE information: section name: .njso
Source: VERSION.dll0.4.dr	Static PE information: section name: .lgliat
Source: VERSION.dll0.4.dr	Static PE information: section name: .ntqjh
Source: VERSION.dll0.4.dr	Static PE information: section name: .sucsek
Source: VERSION.dll0.4.dr	Static PE information: section name: .qsxjui
Source: VERSION.dll0.4.dr	Static PE information: section name: .twctcm
Source: VERSION.dll0.4.dr	Static PE information: section name: .nms
Source: VERSION.dll0.4.dr	Static PE information: section name: .ogj
Source: VERSION.dll0.4.dr	Static PE information: section name: .vrkgb
Source: VERSION.dll0.4.dr	Static PE information: section name: .gikfw
Source: VERSION.dll0.4.dr	Static PE information: section name: .ktl
Source: VERSION.dll0.4.dr	Static PE information: section name: .crcn
Source: VERSION.dll0.4.dr	Static PE information: section name: .wtfr
Source: VERSION.dll0.4.dr	Static PE information: section name: .hep
Source: VERSION.dll0.4.dr	Static PE information: section name: .ywg
Source: VERSION.dll0.4.dr	Static PE information: section name: .sqsp
Source: VERSION.dll0.4.dr	Static PE information: section name: .gzb
Source: VERSION.dll0.4.dr	Static PE information: section name: .fatlss
Source: VERSION.dll0.4.dr	Static PE information: section name: .plqa
Source: VERSION.dll0.4.dr	Static PE information: section name: .vzt
Source: VERSION.dll0.4.dr	Static PE information: section name: .dsbyd
Source: VERSION.dll0.4.dr	Static PE information: section name: .cdelc
Source: VERSION.dll0.4.dr	Static PE information: section name: .qkhkj
Source: VERSION.dll0.4.dr	Static PE information: section name: .mnzegr
Source: VERSION.dll0.4.dr	Static PE information: section name: .krw
Source: VERSION.dll0.4.dr	Static PE information: section name: .jvsmn
Source: VERSION.dll0.4.dr	Static PE information: section name: .bygpq
Source: VERSION.dll0.4.dr	Static PE information: section name: .kzdbu
Source: VERSION.dll0.4.dr	Static PE information: section name: .mwxorn
Source: VERSION.dll0.4.dr	Static PE information: section name: .raf
Source: VERSION.dll0.4.dr	Static PE information: section name: .zcyw
Source: VERSION.dll0.4.dr	Static PE information: section name: .zeczh
Source: VERSION.dll0.4.dr	Static PE information: section name: .pvv
Source: VERSION.dll0.4.dr	Static PE information: section name: .lug
Source: VERSION.dll0.4.dr	Static PE information: section name: .ski
Source: VERSION.dll0.4.dr	Static PE information: section name: .japjd
Source: VERSION.dll0.4.dr	Static PE information: section name: .mwtzml
Source: VERSION.dll0.4.dr	Static PE information: section name: .vgssf
Source: VERSION.dll0.4.dr	Static PE information: section name: .qqb
Source: VERSION.dll0.4.dr	Static PE information: section name: .vje
Source: VERSION.dll0.4.dr	Static PE information: section name: .rlzfvj
Source: XmlLite.dll.4.dr	Static PE information: section name: .vxl
Source: XmlLite.dll.4.dr	Static PE information: section name: .qwubgr
Source: XmlLite.dll.4.dr	Static PE information: section name: .eer
Source: XmlLite.dll.4.dr	Static PE information: section name: .xwwauf
Source: XmlLite.dll.4.dr	Static PE information: section name: .pkc
Source: XmlLite.dll.4.dr	Static PE information: section name: .npkda
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhs
Source: XmlLite.dll.4.dr	Static PE information: section name: .iaywj
Source: XmlLite.dll.4.dr	Static PE information: section name: .nasi
Source: XmlLite.dll.4.dr	Static PE information: section name: .zhvprh
Source: XmlLite.dll.4.dr	Static PE information: section name: .yatdsp
Source: XmlLite.dll.4.dr	Static PE information: section name: .njso
Source: XmlLite.dll.4.dr	Static PE information: section name: .lgliat
Source: XmlLite.dll.4.dr	Static PE information: section name: .ntqjh
Source: XmlLite.dll.4.dr	Static PE information: section name: .sucsek
Source: XmlLite.dll.4.dr	Static PE information: section name: .qsxjui
Source: XmlLite.dll.4.dr	Static PE information: section name: .twctcm
Source: XmlLite.dll.4.dr	Static PE information: section name: .nms
Source: XmlLite.dll.4.dr	Static PE information: section name: .ogj
Source: XmlLite.dll.4.dr	Static PE information: section name: .vrkgb
Source: XmlLite.dll.4.dr	Static PE information: section name: .gikfw
Source: XmlLite.dll.4.dr	Static PE information: section name: .ktl
Source: XmlLite.dll.4.dr	Static PE information: section name: .crcn
Source: XmlLite.dll.4.dr	Static PE information: section name: .wtfr
Source: XmlLite.dll.4.dr	Static PE information: section name: .hep
Source: XmlLite.dll.4.dr	Static PE information: section name: .ywg
Source: XmlLite.dll.4.dr	Static PE information: section name: .sqsp
Source: XmlLite.dll.4.dr	Static PE information: section name: .gzb
Source: XmlLite.dll.4.dr	Static PE information: section name: .fatlss
Source: XmlLite.dll.4.dr	Static PE information: section name: .plqa
Source: XmlLite.dll.4.dr	Static PE information: section name: .vzt
Source: XmlLite.dll.4.dr	Static PE information: section name: .dsbyd
Source: XmlLite.dll.4.dr	Static PE information: section name: .cdelc
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkhkj
Source: XmlLite.dll.4.dr	Static PE information: section name: .mnzegr
Source: XmlLite.dll.4.dr	Static PE information: section name: .krw
Source: XmlLite.dll.4.dr	Static PE information: section name: .jvsmn
Source: XmlLite.dll.4.dr	Static PE information: section name: .bygpq
Source: XmlLite.dll.4.dr	Static PE information: section name: .kzdbu
Source: XmlLite.dll.4.dr	Static PE information: section name: .mwxorn
Source: XmlLite.dll.4.dr	Static PE information: section name: .raf
Source: XmlLite.dll.4.dr	Static PE information: section name: .zcyw
Source: XmlLite.dll.4.dr	Static PE information: section name: .zeczh
Source: XmlLite.dll.4.dr	Static PE information: section name: .pvv
Source: XmlLite.dll.4.dr	Static PE information: section name: .lug
Source: XmlLite.dll.4.dr	Static PE information: section name: .ski
Source: XmlLite.dll.4.dr	Static PE information: section name: .japjd
Source: XmlLite.dll.4.dr	Static PE information: section name: .mwtzml
Source: XmlLite.dll.4.dr	Static PE information: section name: .vgssf
Source: XmlLite.dll.4.dr	Static PE information: section name: .qqb
Source: XmlLite.dll.4.dr	Static PE information: section name: .vje
Source: XmlLite.dll.4.dr	Static PE information: section name: .kvmwo

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary,

Source: FileHistory.exe.4.dr

Static PE information: 0xFAD0FCA2 [Mon May 7 16:56:02 2103 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\u70W8\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Odp\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vVin\VERSION.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF67254FC14 GetWindowsDirectoryW,_wcsicmp,GetPrivateProfileStringW,wcsstr,_wcsicmp,_wcsicmp,_wcsicmp,WritePrivateProfileStringW,GetProfileStringW,_wcsicmp,_wcsicmp,WriteProfileStringW,WriteProfileStringW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,RegSetValueExW,RegQueryValueExW,_wcsicmp,RegSetValueExW,RegOpenKeyExW,RegQueryValueExW,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,_wcsicmp,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,_wcsicmp,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe TID: 408

Thread sleep count: 48 > 30

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	API coverage: 0.2 %
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	API coverage: 0.2 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC6711DDC0 GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711ED10 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	Code function: 25_2_00007FFC74C6ED10 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672546088 FindFirstFileW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,FindNextFileW,FindClose,RegOpenKeyExW,LoadStringW,RegQueryValueExW,LoadStringW,RegCloseKey,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,LoadStringW,PathAddBackslashW,GetFileAttributesW,RegOpenKeyExW,LoadStringW,RegQueryValueExW,PathAddBackslashW,GetFileAttributesW,RegCloseKey,RegCloseKey,LoadStringW,PathAddBackslashW,GetFileAttributesW,LoadStringW,PathAddBackslashW,GetFileAttributesW,wcsrchr,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672545B4C PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672548BFC CoInitialize,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,CoUninitialize,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725472E8 RegOpenKeyExW,RegQueryValueExW,SHChangeNotify,RegDeleteValueW,wcsrchr,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,RegQueryValueExW,RegCloseKey,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF6725479C4 SHGetSpecialFolderPathW,PathRemoveFileSpecW,PathRemoveFileSpecW,LoadStringW,PathRemoveFileSpecW,PathAppendW,PathIsDirectoryW,PathRemoveFileSpecW,PathAppendW,PathAppendW,PathAddBackslashW,GetShortPathNameW,SHGetFolderPathW,PathAddBackslashW,GetShortPathNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,PathRemoveBlanksW,_wcsicmp,FindNextFileW,FindClose,SHChangeNotify,SetCurrentDirectoryW,

Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000004.00000000.294834055.000000000831D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.274320160.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.331966593.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.279138421.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000004.00000000.294398322.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.265603387.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000004.00000000.265321965.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.294418619.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

Code function: 37_2_00007FF6BFA32580 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF672558AD0 LoadLibraryW,GetProcAddress,GetCurrentProcess,FreeLibrary,

Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose,

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe

Code function: 41_2_00007FF76CA3F0A0 BlockInput,SendInput,

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FF6811E7570 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe	Code function: 21_2_00007FF6811E77EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF672559D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe	Code function: 35_2_00007FF67255A060 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA65060 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe	Code function: 37_2_00007FF6BFA64D80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAABD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: 41_2_00007FF76CAABF20 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: omadmclient.exe.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe

Code function: 41_2_00007FF76CAA8CAC mouse_event,SetForegroundWindow,

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe

Code function: 41_2_00007FF76CAA6418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle,

Source: explorer.exe, 00000004.00000000.257921423.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274335367.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301355437.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.294181422.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.289310856.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.310394256.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.317889504.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.274743246.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301385277.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.301862595.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.318198734.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.258158714.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Queries volume information: C:\Users\user\AppData\Local\u70W8\FileHistory.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
Source: C:\Users\user\AppData\Local\Odp\GamePanel.exe	Code function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Code function: 21_2_00007FF6811E7704 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF67254CF64 GetModuleFileNameW,GetFileVersionInfoSizeW,CreateFileW,GetFileTime,FileTimeToSystemTime,memset,GetTimeZoneInformation,SystemTimeToVariantTime,VariantTimeToSystemTime,CloseHandle,GetFileVersionInfoW,VerQueryValueW,

Source: C:\Users\user\AppData\Local\vVin\unregmp2.exe

Code function: 35_2_00007FF67254BABC GetVersionExW,RegOpenKeyExW,RegQueryValueExW,_wtol,RegOpenKeyExW,RegQueryValueExW,wcschr,_wtoi,wcschr,_wtoi,swscanf,swscanf,swscanf,RegCloseKey,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC67109400 GetUserNameW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	312 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Service Execution	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Rundll32	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AyBhhRZXPj.dll	70%	Virustotal		Browse
AyBhhRZXPj.dll	62%	Metadefender		Browse
AyBhhRZXPj.dll	88%	ReversingLabs	Win64.Trojan.Occamy
AyBhhRZXPj.dll	100%	Avira	TR/Crypt.XPACK.Gen7
AyBhhRZXPj.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Odp\dwmapi.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\u70W8\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	100%	Avira	TR/Crypt.XPACK.Gen4
C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Odp\dwmapi.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\u70W8\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Odp\GamePanel.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Odp\GamePanel.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Odp\GamePanel.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
41.2.GamePanel.exe.2470ec10000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
21.2.FileHistory.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.2.unregmp2.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
37.2.omadmclient.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.2.FileHistory.exe.216cde30000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
5.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
41.2.GamePanel.exe.7ffc678e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.1ff796f0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
25.2.mspaint.exe.7ffc74c10000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll64.exe.228311a0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.rundll32.exe.1b4136b0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
0.2.loaddll64.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
25.2.mspaint.exe.214ad6f0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
35.2.unregmp2.exe.292a12f0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
5.2.rundll32.exe.2a99d010000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.1a65a440000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
37.2.omadmclient.exe.2684a170000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://mixer.com/api/v1/oauth/xbl/login	GamePanel.exe	false		high
https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw	GamePanel.exe	false		high
https://aka.ms/imrx2o	GamePanel.exe	false		high
https://mixer.com/_latest/assets/emoticons/%ls.png	GamePanel.exe	false		high
https://mixer.com/api/v1/users/current	GamePanel.exe	false		high
https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://mixer.com/api/v1/broadcasts/current	GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://mixer.com/%wsWindows.System.Launcher	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://aka.ms/v5do45	GamePanel.exe	false		high
https://mixer.com/api/v1/types/lookup%ws	GamePanel.exe	false		high
https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://aka.ms/wk9ocd	GamePanel.exe, GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://MediaData.XboxLive.com/broadcasts/Augment	GamePanel.exe	false		high
https://aka.ms/imfx4k	GamePanel.exe	false		high
https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false	Avira URL Cloud: safe	low
https://MediaData.XboxLive.com/gameclips/Augment	GamePanel.exe	false		high
https://www.xboxlive.com	GamePanel.exe	false		high
https://mixer.com/api/v1/channels/%d	GamePanel.exe	false		high
https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://mixer.com/api/v1/channels/%ws	GamePanel.exe	false		high
https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://MediaData.XboxLive.com/screenshots/Augment	GamePanel.exe	false		high
https://mixer.com/api/v1/chats/%.0f	GamePanel.exe	false		high
https://aka.ms/ifg0es	GamePanel.exe	false		high
https://mixer.com/%ws	GamePanel.exe	false		high
https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING	GamePanel.exe, 00000029.00000000.542785985.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp, GamePanel.exe, 00000029.00000002.566549316.00007FF76CAB7000.00000002.00000001.01000000.00000013.sdmp	false		high
https://aka.ms/w5ryqn	GamePanel.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	595303
Start date and time:	2022-03-23 14:40:41 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 21s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	AyBhhRZXPj (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@49/18@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.6% (good quality ratio 16.4%) Quality average: 43.9% Quality standard deviation: 37%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing behavior and disassembly information.
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\AppData\Local\u70W8\FileHistory.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1380352
Entropy (8bit):	5.14522678065983
Encrypted:	false
SSDEEP:	12288:3ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw8Ib:3ZK6F7n5eRmDFJivohZFV8W
MD5:	EF4106DB513D825B821B6BAE9E504D27
SHA1:	383AA64894D212196C899AF3F850C9B189E1EC60
SHA-256:	08AFB768749C8F06C7FB5CD2B0FA3DF90EBD19A30244E19840DC434B5C2435B6
SHA-512:	199F4A0F739DAE81B46CAF24D7ADD13CAAFBFEBA7A558C004220D2F6B669BF15732D415D323EDB08576E22A229CCBA8064AF83813C8F54BCA962E83DF2243E56
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`..............................................l..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6780928
Entropy (8bit):	6.184072371216434
Encrypted:	false
SSDEEP:	98304:ez2u7InCOgQwyRPM1mlawYL260GBGrGrGWAub7jPhivQ:ez6n/gQw4MIlawYVb7jP8v
MD5:	99F86A0D360FD9A3FCAD6B1E7D92A90C
SHA1:	65F36247C0FFBB881947F68B352128C0C9CFCBE5
SHA-256:	D46519B76D09DFF8BC5C7B34A4E73AD8E7CF6E4C40BDAD6C769E34A099ECE017
SHA-512:	5071487AA218712FBA3A1FCEA6A810C3B27D26A145BC728315CA8078B6A88E51989038CAE4F5EE494B1FEE7515C6E86742D280D1A763B044BDBE7D2E360124A9
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................;...............................o............W..........Rich............PE..d.....S..........."......j...<^.....0..........@..............................g......_h...`.......... ......................................X........p..`BY......f............g.....,..T....................9..(... ................:..("......@....................text....i.......j.................. ..`.rdata...............n..............@..@.data........`...P...L..............@....pdata...f.......h..................@..@.didat..h....`......................@....rsrc...`BY..p...DY.................@..@.reloc.......g..,...Lg.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Odp\GamePanel.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1292288
Entropy (8bit):	6.159394598062476
Encrypted:	false
SSDEEP:	24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
MD5:	4EF330EFAE954723B1F2800C15FDA7EB
SHA1:	3E152C0B10E107926D6A213C882C161D80B836C9
SHA-256:	0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
SHA-512:	C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...\|..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Odp\dwmapi.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.1221876396248325
Encrypted:	false
SSDEEP:	12288:zZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:zZK6F7n5eRmDFJivohZFV
MD5:	921B46AEA923BE300B1D6EF4E7C1CC5F
SHA1:	40CBBD90B7F456E05C533C1066DD2D8F5601FA90
SHA-256:	F7DCD2DCAF06B60C5DAEA5E89C60030F2571B662C2383FC876742E96F52B3C76
SHA-512:	22C21A6A7F802DBAB287513D47E8DBADFBAD215258D43D8A5F0B3292836B8EA58F1B0C94F3ACF3AACAEC6BEE87DCC68BCF269BE712B3A78C4F9099AFF9B0133D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................&...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1638400
Entropy (8bit):	5.548556004393981
Encrypted:	false
SSDEEP:	12288:6ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwujCTy+:6ZK6F7n5eRmDFJivohZFVujCG
MD5:	DB436F220DAA0C2AF20E59BCE6EEC8B5
SHA1:	26DB68E5B14525B216760A40C474477014543776
SHA-256:	4D70CB2101B735E522F8EB0B3DF0E11D1DCCBF3828AEA07B94D19ACFE9EC3AA6
SHA-512:	7F86D71ED7833493A82845BDE6C53CA0CD19F474891D8397FFC0AF7E3750402DBCFB66B2BA6B2D208D9518597439DB21C40C39EA8C52070667F9FC9756CE0F9F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65704
Entropy (8bit):	5.834154867756865
Encrypted:	false
SSDEEP:	1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
MD5:	4849E997AF1274DD145672A2F9BC0827
SHA1:	D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
SHA-256:	B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
SHA-512:	FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.1147607814329605
Encrypted:	false
SSDEEP:	12288:hZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:hZK6F7n5eRmDFJivohZFV
MD5:	44295A0E00ADDDD50261D8F890897B4D
SHA1:	856508331E1867C99519588A25DE434090D05FA5
SHA-256:	973CDBB17CDCE9C019AAE83347912CCE7955D1D8DB1B8DC80082B15EDC28206B
SHA-512:	B8A99ADEF9BFA3BB5D3D7BFEC9489405EF5D3381E4B7723CABB84113C6E073F2D96371ACE74988F7953FBF722121E0F78B89A9621D89A9C5D82BE2051CF5A30E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	315904
Entropy (8bit):	6.1346795928867035
Encrypted:	false
SSDEEP:	6144:uwqIVaD9RkjUYNBDXEDBdcA1gBnbC03j0xjGKEgsQOQ25te8lG:XqIVaDrn6BD0NOA1gBnfj01QW
MD5:	AD7C6CD7A8EEC95808AA77C5D7987941
SHA1:	96985DDF5C2C30918F69CA4405D955BDD0C7E44E
SHA-256:	D7EED58A955ED6ADEF429FA78F82776BBC905C507E1ABE6D5CFCD5C8AC1B0AC9
SHA-512:	047EA8C542774045450B51BF367C75B4ED11E883553842BCACD9E6DFC4C27CDC8BE86A9BADFD5345DA068B4A881BC8522525BF9CEC72FEE1856E365E7CD2015E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`2.K$S~.$S~.$S~.-+..nS~.K7}.'S~.K7z.1S~.$S...R~.K7..=S~.K7{.)S~.K7w..S~.K7..%S~.K7\|.%S~.Rich$S~.........................PE..d...H..-.........."......d...x.......J.........@.............................@............`.......... .............................................. ........... ...........0..........T.......................(...................8...8...........................text....b.......d.................. ..`.rdata..~4.......6...h..............@..@.data...l...........................@....pdata... ......."..................@..@.didat..............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	259072
Entropy (8bit):	6.5074250085194665
Encrypted:	false
SSDEEP:	6144:8kfs4/kfxzJTbHfyH5KNXwy3Odjp19k5KNXf:fs4ixzJTbHmKVwy3OdLaKV
MD5:	E3053C73EA240F4C2F7971B3905A91CF
SHA1:	1848AD66BD55E5484616FB85E80BA58BE1D5BA4B
SHA-256:	0BACCDB2B5ACB7B3C2E9085655457532964CAFFF1AE250016CE1A80E839B820C
SHA-512:	167BCC3E2552286F7D985A65674DA2FF0D0AA6A7F0C4C3B43193943B606E0133C06EEB33656EFBB8B827AC9221FB1BA00A49ADCC2489BD4F38DF62A015806DE3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3/.]\|.]\|.]\|...\|.]\|...\|..]\|..^}.]\|..Y}.]\|.\\|..]\|..\}.]\|..T}..]\|..X}.]\|..\|.]\|.._}.]\|Rich.]\|........................PE..d..../............"..........&.................@.............................0............`.......... .......................................p..,........j......l............ ..,....d..T............................#...............$...............................text...o........................... ..`.rdata..............................@..@.data................r..............@....pdata..l............t..............@..@.rsrc....j.......l...~..............@..@.reloc..,.... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.115920691070016
Encrypted:	false
SSDEEP:	12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
MD5:	4F53DEE2F65AEDCF002B0D96E136EA3E
SHA1:	E6B72A1016718C24DF891B7A7A4A2B389E2E8F32
SHA-256:	68E5BFBFFA535A346A0203DB796A87168AB0D81619AC2E0B688E1120B6E71253
SHA-512:	401FAE3B8A52F7ED45078DB29E0D33B31878F7D78F8C9C23DD898121118A4BAD13A23313249648BC2A5ED468813CA1843610B9640C982E40832D34FBA9AC77A6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52736
Entropy (8bit):	5.7946530792580475
Encrypted:	false
SSDEEP:	768:NS51B2sZMD1mYu/Lr7p0dHkf9abpWnGjTopPjZdWC2bNrHuOKAh/4J99j4ktPUww:J/Yn/Lr7qwYb7/oRjeJh2991t8Yte
MD5:	25D86BC656025F38D6E626B606F1D39D
SHA1:	673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D
SHA-256:	202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
SHA-512:	D4B4BC411B122499E611E1F9A45FD40EC2ABA23354F261D4668BF0578D30AEC5419568489261FC773ABBB350CC77C1E00F8E7C0B135A1FD4A9B6500825FA6E06
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..hw.;w.;w.;~.";u.;...:t.;...:`.;...:q.;...:d.;w.;..;...:..;..N;v.;...:v.;Richw.;................PE..d...X............."......v...\......0y.........@............................. ......Db....`.......... ......................................p...................................x......T............................................................................text...At.......v.................. ..`.rdata...3.......4...z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.124725524561735
Encrypted:	false
SSDEEP:	12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
MD5:	50047C3C2FDDB29A6170BF9FB64D658F
SHA1:	E7FD6768FA2840B0AE0665705B1D17845E11D949
SHA-256:	B90283A2A83F8711C82411C783A2194C3F2A5C197021E3D3F8B7D1CCB185C763
SHA-512:	0AAE4C226EE7B4710993E52C36D042FB255B13D554A1068D008596E713F02E8EAB9631742322697F799CFF5C2854754C749DD96BE1590F3253E15C001E082722
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\u70W8\FileHistory.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	246784
Entropy (8bit):	6.054877934071265
Encrypted:	false
SSDEEP:	3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
MD5:	989B5BDB2BEAC9F894BBC236F1B67967
SHA1:	7B964642FEE2D6508E66C615AA6CF7FD95D6196E
SHA-256:	FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
SHA-512:	0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\u70W8\UxTheme.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.12781164219402
Encrypted:	false
SSDEEP:	12288:mZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:mZK6F7n5eRmDFJivohZFV
MD5:	76A91627D3EEA2BEF8EE5C34AACAE4CA
SHA1:	6588DF88F6E323D1A50D7072FD06FD988CF46813
SHA-256:	B39F61630D4E6D5480F9753656363D95BB70B013C9AD6744A04B0625EB7B406A
SHA-512:	9AA9E3F80148D341C6ED163F6B50692E8C06685492EF8F5E24796E15E139E0102F7BF0C190E6C6D02496E7896210FED17EF64068F2B8F04513D83E3633ABC2B8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\vVin\VERSION.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	5.115947255580537
Encrypted:	false
SSDEEP:	12288:pZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:pZK6F7n5eRmDFJivohZFV
MD5:	8E1EDE32BC38B1366D17603AD093B828
SHA1:	558B6C1219EF5E58A0386A13DF8C451BD0135BB3
SHA-256:	B0093BAA1CE69EF63A7CF2A8C59D6EF94FBDEE8C05AF26B04D6BB029205E2AF2
SHA-512:	0E4F519D25B16643540E0CB8053AAFB97EC938E93879B51AF92C7031D13E92A28AC2695D6AAB39E0C4468465B0FC885190E0F2A812C6BAED12E186C1EDABD05D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.:...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\vVin\unregmp2.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	254976
Entropy (8bit):	5.093220071075157
Encrypted:	false
SSDEEP:	3072:1t+/6BNqqNRhdutq4jCoNhdxtYEbvyIwYKO8/+9vAwk4OdamabJ9:3Bhhd+7QKb
MD5:	9B517303C58CA8A450B97B0D71594CBB
SHA1:	BE75E3F10E17400DA7C0FAF70BF16EE7D0AA93A8
SHA-256:	2A38BFC3813D7E845F455B31DF099C8A6E657EF4556BFF681315F86A883A3314
SHA-512:	6A47EC7800E1F1FCDBB44A018147CE4A87FF0F5B94597B182AAE4E8545D9B18FAAAA07379BA1086D8F7785F0F66C36E4B6C68FCF49130333B8A9DC3A9E9E08E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|.R.............y.......y.......y.......y..........w....y.......yf......y......Rich....................PE..d....Q&..........."..........^................@.............................0.......A....`.......... ..........................................................0.......................T....................V..(....U...............V...............................text...w........................... ..`.rdata..4...........................@..@.data....8.......&..................@....pdata..0...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	1450
Entropy (8bit):	7.361727904797889
Encrypted:	false
SSDEEP:	24:UKUUXqUcSodCyBlrAEKWs6/hAnL4XdQc2aBtHX:U7U6Uc625AnL4XdQcht3
MD5:	5F02ECE7D1EB5FADDDFDEBE2D3475E9A
SHA1:	4D62C892CCC31C9079E2F22D909AF2CB3AAD74C1
SHA-256:	B1C472B75EF62235374FF8CF1B83E53D52971FA9A755F7C60C9BBA2951133A3F
SHA-512:	1ED4B6120EE533D907084AE9999A257517EAFC30A8CE25F6E88EACB556D907A91B03FF5B2DC4F90F5F2A448913C25F80D100314EB1519F8EED9ECB21707E4360
Malicious:	false
Reputation:	unknown
Preview:	........................................user.....................RSA1.................8.".Mc.j....3.........}...7.<..M..D9..Z..#x.>JFs.`.vJ..y9+.$...n(ck.G!IS.@.@k..}..Mb...^X.t..6......L.E.q]/A..Z....<.W.....................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....A .U...c..e...2.>B....PE..#............. ...).GX.v.Y.X.8..@..EK.6.[h8.q.j\.)......#....di.Q.."n.!6'oj..g..R.[..RS....&.G..H^(O..WP......(...i0.1.=T......8L.L]...o.U.DA......a.t..R..U.Ob...@....8..V&1...6. ...2V.G.....4#=:NnN..;.H..Gz...F....@...w....l^V0q.r.%<.k#.1c..H.BR.....o.E.L....<..X...S5........RZv,q#=6..>.W.:.a.f.6\..6.......Dj&!B=..i..Hi.6.9~.Y6O...P.2.C..g.>.J....Z..o...,.vO$@..Y.GY..zd.Yuy..1...z..1U2..c.={...P&.VW..BL..x..m...^H......"..5.L.Y...D..]...\.}.Jhg..K...n.4%.t....w..g2..#2.4gI.2.Y.y.<l.8.... .?.C]...[...U..t..~7......K..+.a.c.@.^_^;....I.w.d/9..Fi..9...+,.Blc.+..`..0HU.f.}.....?..8k1Y\{6l.I.#.1..f.`.?8A....r.x.m.o.

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.128940497635626
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	AyBhhRZXPj.dll
File size:	1351680
MD5:	518cc4a9888e76bc1a916fd67a08a075
SHA1:	148d6f12f12a0cae195f36f4319839f6687b7144
SHA256:	57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
SHA512:	b14a3bcbfa68e5cf71ccfdd68ff5da696ca1e44073dbf6cd4d15dfab2a9ff29f56855c828ae7ac0dc346dfab93679f7d1ae52cb24ccc2976e6d4ba1fb5f6221e
SSDEEP:	12288:aZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:aZK6F7n5eRmDFJivohZFV
File Content Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1400424b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4a2e61e1749a0183eccaadb9c4ef6ec2

Entrypoint Preview

Instruction
dec eax
mov dword ptr [00070639h], ecx
dec eax
lea ecx, dword ptr [FFFFF2F2h]
dec esp
mov dword ptr [0007064Bh], eax
dec esp
mov dword ptr [00070654h], edi
dec esp
mov dword ptr [00070655h], esi
dec eax
xor eax, eax
dec eax
inc eax
dec eax
add ecx, eax
dec esp
mov dword ptr [00070655h], esp
dec eax
dec ecx
dec eax
mov dword ptr [00070653h], esi
dec eax
test eax, eax
je 00007F93DCE90D1Dh
dec eax
mov dword ptr [0007060Fh], esp
dec eax
mov dword ptr [00070600h], ebp
dec eax
mov dword ptr [00070649h], ebx
dec eax
mov dword ptr [0007063Ah], edi
dec eax
test eax, eax
je 00007F93DCE90CFCh
dec esp
mov dword ptr [000705FEh], ecx
dec esp
mov dword ptr [0007060Fh], ebp
dec eax
mov dword ptr [000705D0h], edx
jmp ecx
dec eax
add edi, ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
dec eax
sub esp, 00000080h
dec eax
mov dword ptr [esp+78h], 58225FC8h
mov dword ptr [esp+60h], 2DFAE652h
mov al, byte ptr [esp+77h]
mov dl, al
add dl, FFFFFF85h
mov byte ptr [esp+77h], dl
mov word ptr [esp+5Eh], 3327h
dec esp
mov eax, dword ptr [esp+78h]
inc esp
mov ecx, dword ptr [esp+64h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x149010	0x2ca	.vje
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9924	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbf000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1000	0x0	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xefc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x418cc	0x42000	False	0.781412760417	data	7.78392111205	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0x66f43	0x67000	False	0.700320938258	data	7.87281050709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xaa000	0x13ba7	0x14000	False	0.0782836914062	data	2.51707039551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbe000	0x138	0x1000	False	0.061279296875	PEX Binary Archive	0.599172422844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbf000	0x69e	0x1000	False	0.123291015625	data	1.07831823765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xf31	0x1000	False	0.416748046875	data	5.36145191459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vxl	0xc1000	0x14d4	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qwubgr	0xc3000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eer	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xwwauf	0xc7000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pkc	0xc8000	0x42a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.npkda	0xc9000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vhs	0xca000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.iaywj	0xcb000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nasi	0xcd000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zhvprh	0xce000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yatdsp	0xd5000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.njso	0xd6000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lgliat	0xd8000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ntqjh	0xd9000	0xbf6	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sucsek	0xda000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qsxjui	0xdb000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.twctcm	0xdc000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nms	0xde000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ogj	0xdf000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vrkgb	0xe1000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gikfw	0xe2000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ktl	0xe3000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crcn	0xe4000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wtfr	0xe5000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hep	0xe6000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ywg	0xe7000	0xd33	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sqsp	0xe8000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gzb	0xe9000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fatlss	0xea000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.plqa	0xeb000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vzt	0xec000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dsbyd	0xed000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cdelc	0xef000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qkhkj	0xf0000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mnzegr	0xf1000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.krw	0xf2000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jvsmn	0xf3000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bygpq	0xf4000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kzdbu	0xf6000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mwxorn	0xf7000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.raf	0xf8000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zcyw	0xf9000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zeczh	0xfa000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pvv	0xfc000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lug	0xfd000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ski	0x143000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.japjd	0x144000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mwtzml	0x146000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vgssf	0x147000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qqb	0x148000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vje	0x149000	0x2da	0x1000	False	0.119873046875	data	1.44574959876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbf0a0	0x2dc	data	English	United States
RT_MANIFEST	0xbf380	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetServiceDisplayNameW
KERNEL32.dll	LoadLibraryA, HeapUnlock

Exports

Name	Ordinal	Address
ApplyCompatResolutionQuirking	1	0x14000c1b4
CompatString	2	0x140012180
CompatValue	3	0x140011544
CreateDXGIFactory	11	0x14002123c
CreateDXGIFactory1	12	0x14001b1e4
CreateDXGIFactory2	13	0x140023a64
DXGID3D10CreateDevice	14	0x14003a46c
DXGID3D10CreateLayeredDevice	15	0x14003ad28
DXGID3D10ETWRundown	16	0x140037ae0
DXGID3D10GetLayeredDeviceSize	17	0x140038fac
DXGID3D10RegisterLayers	18	0x140007b90
DXGIDeclareAdapterRemovalSupport	19	0x140022980
DXGIDumpJournal	4	0x1400072e4
DXGIGetDebugInterface1	20	0x1400323d0
DXGIReportAdapterConfiguration	21	0x140023758
DXGIRevertToSxS	5	0x1400170f8
PIXBeginCapture	6	0x14001cd84
PIXEndCapture	7	0x140003058
PIXGetCaptureState	8	0x140022ba4
SetAppCompatStringPointer	9	0x140019d84
UpdateHMDEmulationStatus	10	0x14003fb08

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights
InternalName	dpnhup
FileVersion	1.56
CompanyName	Microsoft C
ProductName	Sysinternals Streams
ProductVersion	6.1
FileDescription	Thai K
OriginalFilename	dpnhupnp.d
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:41:44
Start date:	23/03/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll"
Imagebase:	0x7ff7ac2b0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.274237724.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exePID: 6620, Parent PID: 6608

General

Target ID:	1
Start time:	15:41:45
Start date:	23/03/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Imagebase:	0x7ff6f9620000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6632, Parent PID: 6608

General

Target ID:	2
Start time:	15:41:45
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,ApplyCompatResolutionQuirking
Imagebase:	0x7ff7d29d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.363013775.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 6640, Parent PID: 6620

General

Target ID:	3
Start time:	15:41:45
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\AyBhhRZXPj.dll",#1
Imagebase:	0x7ff7d29d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.254650738.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: explorer.exePID: 3968, Parent PID: 6632

General

Target ID:	4
Start time:	15:41:48
Start date:	23/03/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 6724, Parent PID: 6608

General

Target ID:	5
Start time:	15:41:49
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatString
Imagebase:	0x7ff7d29d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.260480210.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 6868, Parent PID: 6608

General

Target ID:	8
Start time:	15:41:52
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\AyBhhRZXPj.dll,CompatValue
Imagebase:	0x7ff7d29d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.268092209.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: Magnify.exePID: 5372, Parent PID: 3968

General

Target ID:	19
Start time:	15:42:42
Start date:	23/03/2022
Path:	C:\Windows\System32\Magnify.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Magnify.exe
Imagebase:	0x7ff7f33c0000
File size:	809472 bytes
MD5 hash:	F97BE20B374457236666607EE4BA7F7F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: FileHistory.exePID: 5788, Parent PID: 3968

General

Target ID:	20
Start time:	15:42:43
Start date:	23/03/2022
Path:	C:\Windows\System32\FileHistory.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\FileHistory.exe
Imagebase:	0x7ff6d53b0000
File size:	246784 bytes
MD5 hash:	989B5BDB2BEAC9F894BBC236F1B67967
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: FileHistory.exePID: 7004, Parent PID: 3968

General

Target ID:	21
Start time:	15:42:44
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\u70W8\FileHistory.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\u70W8\FileHistory.exe
Imagebase:	0x7ff6811e0000
File size:	246784 bytes
MD5 hash:	989B5BDB2BEAC9F894BBC236F1B67967
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.383767376.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Analysis Process: RdpSa.exePID: 7028, Parent PID: 3968

General

Target ID:	23
Start time:	15:42:48
Start date:	23/03/2022
Path:	C:\Windows\System32\RdpSa.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RdpSa.exe
Imagebase:	0x7ff683750000
File size:	43008 bytes
MD5 hash:	0795B6F790F8E52D55F39E593E9C5BBA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: mspaint.exePID: 7064, Parent PID: 3968

General

Target ID:	24
Start time:	15:42:49
Start date:	23/03/2022
Path:	C:\Windows\System32\mspaint.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mspaint.exe
Imagebase:	0x7ff77f500000
File size:	6780928 bytes
MD5 hash:	99F86A0D360FD9A3FCAD6B1E7D92A90C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: mspaint.exePID: 4576, Parent PID: 3968

General

Target ID:	25
Start time:	15:43:04
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe
Imagebase:	0x7ff6efae0000
File size:	6780928 bytes
MD5 hash:	99F86A0D360FD9A3FCAD6B1E7D92A90C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.457997826.00007FFC74C11000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Analysis Process: mmc.exePID: 6244, Parent PID: 3968

General

Target ID:	32
Start time:	15:43:23
Start date:	23/03/2022
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mmc.exe
Imagebase:	0x7ff617390000
File size:	1859584 bytes
MD5 hash:	BA80301974CC8C4FB9F3F9DDB5905C30
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: EaseOfAccessDialog.exePID: 6176, Parent PID: 3968

General

Target ID:	33
Start time:	15:43:23
Start date:	23/03/2022
Path:	C:\Windows\System32\EaseOfAccessDialog.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\EaseOfAccessDialog.exe
Imagebase:	0x7ff6664e0000
File size:	304640 bytes
MD5 hash:	F87F2E5EBF3FFBA39DF1621B5F8689B5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: unregmp2.exePID: 4948, Parent PID: 3968

General

Target ID:	34
Start time:	15:43:24
Start date:	23/03/2022
Path:	C:\Windows\System32\unregmp2.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\unregmp2.exe
Imagebase:	0x7ff69f7d0000
File size:	254976 bytes
MD5 hash:	9B517303C58CA8A450B97B0D71594CBB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: unregmp2.exePID: 4908, Parent PID: 3968

General

Target ID:	35
Start time:	15:43:25
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\vVin\unregmp2.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\vVin\unregmp2.exe
Imagebase:	0x7ff672540000
File size:	254976 bytes
MD5 hash:	9B517303C58CA8A450B97B0D71594CBB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.497477137.00007FFC74C21000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security

Analysis Process: omadmclient.exePID: 6340, Parent PID: 3968

General

Target ID:	36
Start time:	15:43:41
Start date:	23/03/2022
Path:	C:\Windows\System32\omadmclient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\omadmclient.exe
Imagebase:	0x7ff7bc730000
File size:	315904 bytes
MD5 hash:	AD7C6CD7A8EEC95808AA77C5D7987941
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: omadmclient.exePID: 6392, Parent PID: 3968

General

Target ID:	37
Start time:	15:43:43
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe
Imagebase:	0x7ff6bfa30000
File size:	315904 bytes
MD5 hash:	AD7C6CD7A8EEC95808AA77C5D7987941
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.528095549.00007FFC74C21000.00000020.00000001.01000000.00000012.sdmp, Author: Joe Security

Analysis Process: SystemPropertiesPerformance.exePID: 4040, Parent PID: 3968

General

Target ID:	38
Start time:	15:43:56
Start date:	23/03/2022
Path:	C:\Windows\System32\SystemPropertiesPerformance.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SystemPropertiesPerformance.exe
Imagebase:	0x7ff71c990000
File size:	83968 bytes
MD5 hash:	F325976CDC0F7E9C680B51B35D24D23A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: eudcedit.exePID: 6164, Parent PID: 3968

General

Target ID:	39
Start time:	15:43:58
Start date:	23/03/2022
Path:	C:\Windows\System32\eudcedit.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\eudcedit.exe
Imagebase:	0x7ff7f4400000
File size:	353280 bytes
MD5 hash:	0ED10F2F98B80FF9F95EED2B04CFA076
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: GamePanel.exePID: 5244, Parent PID: 3968

General

Target ID:	40
Start time:	15:44:00
Start date:	23/03/2022
Path:	C:\Windows\System32\GamePanel.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\GamePanel.exe
Imagebase:	0x7ff7b7e60000
File size:	1292288 bytes
MD5 hash:	4EF330EFAE954723B1F2800C15FDA7EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: GamePanel.exePID: 5832, Parent PID: 3968

General

Target ID:	41
Start time:	15:44:01
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\Odp\GamePanel.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Odp\GamePanel.exe
Imagebase:	0x7ff76ca00000
File size:	1292288 bytes
MD5 hash:	4EF330EFAE954723B1F2800C15FDA7EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.566763440.00007FFC678E1000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AyBhhRZXPj

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log

C:\Users\user\AppData\Local\NYpervHTp\MFC42u.dll

C:\Users\user\AppData\Local\NYpervHTp\mspaint.exe

C:\Users\user\AppData\Local\Odp\GamePanel.exe

C:\Users\user\AppData\Local\Odp\dwmapi.dll

C:\Users\user\AppData\Local\QpruqOk1\DUI70.dll

C:\Users\user\AppData\Local\QpruqOk1\wlrmdr.exe

C:\Users\user\AppData\Local\iv505rrw\XmlLite.dll

C:\Users\user\AppData\Local\iv505rrw\omadmclient.exe

C:\Users\user\AppData\Local\pkru2Wsoo\PresentationHost.exe

C:\Users\user\AppData\Local\pkru2Wsoo\VERSION.dll

C:\Users\user\AppData\Local\rgsL2C4\BdeUISrv.exe

C:\Users\user\AppData\Local\rgsL2C4\WTSAPI32.dll

C:\Users\user\AppData\Local\u70W8\FileHistory.exe

C:\Users\user\AppData\Local\u70W8\UxTheme.dll

C:\Users\user\AppData\Local\vVin\VERSION.dll

C:\Users\user\AppData\Local\vVin\unregmp2.exe

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

Windows Analysis Report
AyBhhRZXPj

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre