Windows Analysis Report
GpUSRuIBHx

Overview

General Information

Sample Name: GpUSRuIBHx (renamed file extension from none to dll)
Analysis ID: 595305
MD5: 288c35481252c1212cbb764c490c2ad8
SHA1: 9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
SHA256: cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: GpUSRuIBHx.dll Virustotal: Detection: 70% Perma Link
Source: GpUSRuIBHx.dll Metadefender: Detection: 62% Perma Link
Source: GpUSRuIBHx.dll ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: GpUSRuIBHx.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: GpUSRuIBHx.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CSYG\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dll Joe Sandbox ML: detected
Source: GpUSRuIBHx.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: Utilman.pdb source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: PrintFilterPipelineSvc.pdbGCTL source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: PrintFilterPipelineSvc.pdb source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA62ED10 FindFirstFileExW, 0_2_00007FF8BA62ED10
Source: explorer.exe, 00000004.00000000.411736058.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.390915909.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.355411214.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.439321830.00000000026D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobY
Source: unknown DNS traffic detected: queries for: canonicalizer.ucsuri.tcs
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F37A8 OpenClipboard,GetLastError, 25_2_00007FF70C3F37A8

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 22.2.SndVol.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.slui.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.SnippingTool.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.FileHistory.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Utilman.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.DmNotificationBroker.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.printfilterpipelinesvc.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.ProximityUxHost.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.phoneactivate.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.746490737.00007FF8CA681000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.372939527.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.581334481.00007FF8CA981000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.678112483.00007FF8BB381000.00000020.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.366331885.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.484522001.00007FF8CA981000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.470593131.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.512496248.00007FF8CA981000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.358622486.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.705952583.00007FF8BB381000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.646421042.00007FF8CA981000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA623150 0_2_00007FF8BA623150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6059F0 0_2_00007FF8BA6059F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA60AA70 0_2_00007FF8BA60AA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA61CA50 0_2_00007FF8BA61CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA61A2C0 0_2_00007FF8BA61A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6197D0 0_2_00007FF8BA6197D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA605020 0_2_00007FF8BA605020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F7880 0_2_00007FF8BA5F7880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63D520 0_2_00007FF8BA63D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA62DDC0 0_2_00007FF8BA62DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA637650 0_2_00007FF8BA637650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA604360 0_2_00007FF8BA604360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F3340 0_2_00007FF8BA5F3340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E8340 0_2_00007FF8BA5E8340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA635B50 0_2_00007FF8BA635B50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D5350 0_2_00007FF8BA5D5350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5DBB20 0_2_00007FF8BA5DBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA601B30 0_2_00007FF8BA601B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA600300 0_2_00007FF8BA600300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FA310 0_2_00007FF8BA5FA310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E23F0 0_2_00007FF8BA5E23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA624BC0 0_2_00007FF8BA624BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA634390 0_2_00007FF8BA634390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D5C20 0_2_00007FF8BA5D5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E5420 0_2_00007FF8BA5E5420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA639410 0_2_00007FF8BA639410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E7410 0_2_00007FF8BA5E7410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E400 0_2_00007FF8BA63E400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA603CF0 0_2_00007FF8BA603CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E3CD0 0_2_00007FF8BA5E3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA605CD0 0_2_00007FF8BA605CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E4AD 0_2_00007FF8BA63E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E4B6 0_2_00007FF8BA63E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E49D 0_2_00007FF8BA63E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA632CA0 0_2_00007FF8BA632CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E4A6 0_2_00007FF8BA63E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E48B 0_2_00007FF8BA63E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FAC80 0_2_00007FF8BA5FAC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63A490 0_2_00007FF8BA63A490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63E494 0_2_00007FF8BA63E494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63B960 0_2_00007FF8BA63B960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F4140 0_2_00007FF8BA5F4140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA636950 0_2_00007FF8BA636950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA606130 0_2_00007FF8BA606130
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5DB100 0_2_00007FF8BA5DB100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5EE110 0_2_00007FF8BA5EE110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F3910 0_2_00007FF8BA5F3910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6091F0 0_2_00007FF8BA6091F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6089F0 0_2_00007FF8BA6089F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FF1F0 0_2_00007FF8BA5FF1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F69C0 0_2_00007FF8BA5F69C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6021D0 0_2_00007FF8BA6021D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FE9A0 0_2_00007FF8BA5FE9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5EE9B0 0_2_00007FF8BA5EE9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F11B0 0_2_00007FF8BA5F11B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D2980 0_2_00007FF8BA5D2980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA609990 0_2_00007FF8BA609990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63B260 0_2_00007FF8BA63B260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D7A40 0_2_00007FF8BA5D7A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA60B250 0_2_00007FF8BA60B250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F82E0 0_2_00007FF8BA5F82E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA637AF0 0_2_00007FF8BA637AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA60BAE0 0_2_00007FF8BA60BAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA632AE0 0_2_00007FF8BA632AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F92C0 0_2_00007FF8BA5F92C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA62F2C0 0_2_00007FF8BA62F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FDAA0 0_2_00007FF8BA5FDAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6382A0 0_2_00007FF8BA6382A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63AAA0 0_2_00007FF8BA63AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA630770 0_2_00007FF8BA630770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5EE770 0_2_00007FF8BA5EE770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA635760 0_2_00007FF8BA635760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F2F50 0_2_00007FF8BA5F2F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA630F30 0_2_00007FF8BA630F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F872B 0_2_00007FF8BA5F872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F6FE0 0_2_00007FF8BA5F6FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA644FF0 0_2_00007FF8BA644FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E8FC0 0_2_00007FF8BA5E8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5EA7D0 0_2_00007FF8BA5EA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FE7B0 0_2_00007FF8BA5FE7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA64B7A0 0_2_00007FF8BA64B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D6790 0_2_00007FF8BA5D6790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63C780 0_2_00007FF8BA63C780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA64EF80 0_2_00007FF8BA64EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA60F870 0_2_00007FF8BA60F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA61F870 0_2_00007FF8BA61F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F5050 0_2_00007FF8BA5F5050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA625840 0_2_00007FF8BA625840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA600020 0_2_00007FF8BA600020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5FC030 0_2_00007FF8BA5FC030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5F4800 0_2_00007FF8BA5F4800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D1010 0_2_00007FF8BA5D1010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5D18D0 0_2_00007FF8BA5D18D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E08B0 0_2_00007FF8BA5E08B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5ED890 0_2_00007FF8BA5ED890
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA5E9D70 0_2_00007FF8BA5E9D70
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B5CD0 18_2_00007FF8CA9B5CD0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9CA2C0 18_2_00007FF8CA9CA2C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9BAA70 18_2_00007FF8CA9BAA70
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9CCA50 18_2_00007FF8CA9CCA50
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B5020 18_2_00007FF8CA9B5020
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9DDDC0 18_2_00007FF8CA9DDDC0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E4390 18_2_00007FF8CA9E4390
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9923F0 18_2_00007FF8CA9923F0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9D4BC0 18_2_00007FF8CA9D4BC0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA98BB20 18_2_00007FF8CA98BB20
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B1B30 18_2_00007FF8CA9B1B30
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B0300 18_2_00007FF8CA9B0300
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AA310 18_2_00007FF8CA9AA310
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B4360 18_2_00007FF8CA9B4360
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A3340 18_2_00007FF8CA9A3340
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA998340 18_2_00007FF8CA998340
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E5B50 18_2_00007FF8CA9E5B50
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA985350 18_2_00007FF8CA985350
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E2CA0 18_2_00007FF8CA9E2CA0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AAC80 18_2_00007FF8CA9AAC80
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B3CF0 18_2_00007FF8CA9B3CF0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA993CD0 18_2_00007FF8CA993CD0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA995420 18_2_00007FF8CA995420
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA985C20 18_2_00007FF8CA985C20
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9EE400 18_2_00007FF8CA9EE400
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA997410 18_2_00007FF8CA997410
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E9410 18_2_00007FF8CA9E9410
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AE9A0 18_2_00007FF8CA9AE9A0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA99E9B0 18_2_00007FF8CA99E9B0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A11B0 18_2_00007FF8CA9A11B0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA982980 18_2_00007FF8CA982980
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B9990 18_2_00007FF8CA9B9990
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B59F0 18_2_00007FF8CA9B59F0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AF1F0 18_2_00007FF8CA9AF1F0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B91F0 18_2_00007FF8CA9B91F0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B89F0 18_2_00007FF8CA9B89F0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A69C0 18_2_00007FF8CA9A69C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B21D0 18_2_00007FF8CA9B21D0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B6130 18_2_00007FF8CA9B6130
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA98B100 18_2_00007FF8CA98B100
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA99E110 18_2_00007FF8CA99E110
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A3910 18_2_00007FF8CA9A3910
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9EB960 18_2_00007FF8CA9EB960
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A4140 18_2_00007FF8CA9A4140
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9D3150 18_2_00007FF8CA9D3150
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E6950 18_2_00007FF8CA9E6950
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9ADAA0 18_2_00007FF8CA9ADAA0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E82A0 18_2_00007FF8CA9E82A0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9EAAA0 18_2_00007FF8CA9EAAA0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A82E0 18_2_00007FF8CA9A82E0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9BBAE0 18_2_00007FF8CA9BBAE0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E2AE0 18_2_00007FF8CA9E2AE0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A92C0 18_2_00007FF8CA9A92C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9DF2C0 18_2_00007FF8CA9DF2C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9EB260 18_2_00007FF8CA9EB260
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA987A40 18_2_00007FF8CA987A40
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9BB250 18_2_00007FF8CA9BB250
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9FB7A0 18_2_00007FF8CA9FB7A0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AE7B0 18_2_00007FF8CA9AE7B0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9FEF80 18_2_00007FF8CA9FEF80
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA986790 18_2_00007FF8CA986790
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A6FE0 18_2_00007FF8CA9A6FE0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9F4FF0 18_2_00007FF8CA9F4FF0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA998FC0 18_2_00007FF8CA998FC0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA99A7D0 18_2_00007FF8CA99A7D0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9C97D0 18_2_00007FF8CA9C97D0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E0F30 18_2_00007FF8CA9E0F30
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A872B 18_2_00007FF8CA9A872B
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E5760 18_2_00007FF8CA9E5760
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA99E770 18_2_00007FF8CA99E770
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E0770 18_2_00007FF8CA9E0770
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A2F50 18_2_00007FF8CA9A2F50
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9908B0 18_2_00007FF8CA9908B0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A7880 18_2_00007FF8CA9A7880
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA99D890 18_2_00007FF8CA99D890
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9818D0 18_2_00007FF8CA9818D0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B0020 18_2_00007FF8CA9B0020
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AC030 18_2_00007FF8CA9AC030
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A4800 18_2_00007FF8CA9A4800
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA981010 18_2_00007FF8CA981010
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9BF870 18_2_00007FF8CA9BF870
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9D5840 18_2_00007FF8CA9D5840
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A5050 18_2_00007FF8CA9A5050
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA98C5A0 18_2_00007FF8CA98C5A0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9965E0 18_2_00007FF8CA9965E0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9995C0 18_2_00007FF8CA9995C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B25C0 18_2_00007FF8CA9B25C0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9ED520 18_2_00007FF8CA9ED520
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B1D30 18_2_00007FF8CA9B1D30
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B0D10 18_2_00007FF8CA9B0D10
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA999D70 18_2_00007FF8CA999D70
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A3D50 18_2_00007FF8CA9A3D50
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AD550 18_2_00007FF8CA9AD550
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B06A0 18_2_00007FF8CA9B06A0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9AF6B0 18_2_00007FF8CA9AF6B0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA987E80 18_2_00007FF8CA987E80
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA986E90 18_2_00007FF8CA986E90
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E7EC0 18_2_00007FF8CA9E7EC0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA98DE20 18_2_00007FF8CA98DE20
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA981620 18_2_00007FF8CA981620
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9A3610 18_2_00007FF8CA9A3610
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B2E10 18_2_00007FF8CA9B2E10
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA998670 18_2_00007FF8CA998670
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9D0650 18_2_00007FF8CA9D0650
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9E7650 18_2_00007FF8CA9E7650
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADA3BE0 20_2_00007FF7BADA3BE0
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADA2578 20_2_00007FF7BADA2578
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADAFD48 20_2_00007FF7BADAFD48
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB8310 22_2_00007FF6C1BB8310
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BC4F10 22_2_00007FF6C1BC4F10
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BC3718 22_2_00007FF6C1BC3718
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB6218 22_2_00007FF6C1BB6218
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BBA5C8 22_2_00007FF6C1BBA5C8
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BBA1A0 22_2_00007FF6C1BBA1A0
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB3514 22_2_00007FF6C1BB3514
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BCC4D0 22_2_00007FF6C1BCC4D0
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB44E8 22_2_00007FF6C1BB44E8
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB3080 22_2_00007FF6C1BB3080
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BCB088 22_2_00007FF6C1BCB088
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BC0CA8 22_2_00007FF6C1BC0CA8
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BC2BD8 22_2_00007FF6C1BC2BD8
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BC03A0 22_2_00007FF6C1BC03A0
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F9978 25_2_00007FF70C3F9978
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F8D50 25_2_00007FF70C3F8D50
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F29F4 25_2_00007FF70C3F29F4
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F1600 25_2_00007FF70C3F1600
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C404598 25_2_00007FF70C404598
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C4039A8 25_2_00007FF70C4039A8
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C408A64 25_2_00007FF70C408A64
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3FAE80 25_2_00007FF70C3FAE80
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F5EBC 25_2_00007FF70C3F5EBC
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F1F60 25_2_00007FF70C3F1F60
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F9338 25_2_00007FF70C3F9338
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C40EF38 25_2_00007FF70C40EF38
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C409008 25_2_00007FF70C409008
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C405FF8 25_2_00007FF70C405FF8
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3FEB98 25_2_00007FF70C3FEB98
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C40F3CC 25_2_00007FF70C40F3CC
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C40C470 25_2_00007FF70C40C470
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C41EC80 25_2_00007FF70C41EC80
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F250C 25_2_00007FF70C3F250C
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F58C0 25_2_00007FF70C3F58C0
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F231D0 28_2_00007FF6A3F231D0
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F21A80 28_2_00007FF6A3F21A80
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F242A0 28_2_00007FF6A3F242A0
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F246C0 28_2_00007FF6A3F246C0
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F256F4 28_2_00007FF6A3F256F4
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F262F4 28_2_00007FF6A3F262F4
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F42128 28_2_00007FF6A3F42128
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: String function: 00007FF70C411454 appears 227 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA617770 NtClose, 0_2_00007FF8BA617770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA63D520 NtQuerySystemInformation,RtlAllocateHeap, 0_2_00007FF8BA63D520
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9B5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 18_2_00007FF8CA9B5CD0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF8CA9C7770 NtClose, 18_2_00007FF8CA9C7770
PE file contains executable resources (Code or Archives)
Source: DmNotificationBroker.exe.4.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe Section loaded: kernel34.dll
PE file contains more sections than normal
Source: dwmapi.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: DUser.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: WTSAPI32.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: DUI70.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: UxTheme.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: WMsgAPI.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: OLEACC.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: WTSAPI32.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: DUI70.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: DUI70.dll1.4.dr Static PE information: Number of sections : 61 > 10
Source: GpUSRuIBHx.dll Static PE information: Number of sections : 60 > 10
Source: WINSTA.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: OLEACC.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: UxTheme.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: GpUSRuIBHx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WMsgAPI.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUser.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll1.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: GpUSRuIBHx.dll Virustotal: Detection: 70%
Source: GpUSRuIBHx.dll Metadefender: Detection: 62%
Source: GpUSRuIBHx.dll ReversingLabs: Detection: 88%
Source: GpUSRuIBHx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@64/31@1/0
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB9E34 CoCreateInstance,CoAllowSetForegroundWindow, 22_2_00007FF6C1BB9E34
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADA4B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep, 20_2_00007FF7BADA4B74
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe Mutant created: \Sessions\1\BaseNamedObjects\{b9037130-7713-b8d0-facf-7e79439c554a}
Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe Mutant created: \Sessions\1\BaseNamedObjects\{3981d798-39a4-108d-0c6e-24ba6fae0222}
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB8E7C LoadResource,LockResource,SizeofResource, 22_2_00007FF6C1BB8E7C
Source: GpUSRuIBHx.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: GpUSRuIBHx.dll Static file information: File size 1368064 > 1048576
Source: GpUSRuIBHx.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: Utilman.pdb source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: PrintFilterPipelineSvc.pdbGCTL source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: PrintFilterPipelineSvc.pdb source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADA5E92 push rcx; ret 20_2_00007FF7BADA5E93
PE file contains sections with non-standard names
Source: GpUSRuIBHx.dll Static PE information: section name: .vxl
Source: GpUSRuIBHx.dll Static PE information: section name: .qwubgr
Source: GpUSRuIBHx.dll Static PE information: section name: .eer
Source: GpUSRuIBHx.dll Static PE information: section name: .xwwauf
Source: GpUSRuIBHx.dll Static PE information: section name: .pkc
Source: GpUSRuIBHx.dll Static PE information: section name: .npkda
Source: GpUSRuIBHx.dll Static PE information: section name: .vhs
Source: GpUSRuIBHx.dll Static PE information: section name: .iaywj
Source: GpUSRuIBHx.dll Static PE information: section name: .nasi
Source: GpUSRuIBHx.dll Static PE information: section name: .zhvprh
Source: GpUSRuIBHx.dll Static PE information: section name: .yatdsp
Source: GpUSRuIBHx.dll Static PE information: section name: .njso
Source: GpUSRuIBHx.dll Static PE information: section name: .lgliat
Source: GpUSRuIBHx.dll Static PE information: section name: .ntqjh
Source: GpUSRuIBHx.dll Static PE information: section name: .sucsek
Source: GpUSRuIBHx.dll Static PE information: section name: .qsxjui
Source: GpUSRuIBHx.dll Static PE information: section name: .twctcm
Source: GpUSRuIBHx.dll Static PE information: section name: .nms
Source: GpUSRuIBHx.dll Static PE information: section name: .ogj
Source: GpUSRuIBHx.dll Static PE information: section name: .vrkgb
Source: GpUSRuIBHx.dll Static PE information: section name: .gikfw
Source: GpUSRuIBHx.dll Static PE information: section name: .ktl
Source: GpUSRuIBHx.dll Static PE information: section name: .crcn
Source: GpUSRuIBHx.dll Static PE information: section name: .wtfr
Source: GpUSRuIBHx.dll Static PE information: section name: .hep
Source: GpUSRuIBHx.dll Static PE information: section name: .ywg
Source: GpUSRuIBHx.dll Static PE information: section name: .sqsp
Source: GpUSRuIBHx.dll Static PE information: section name: .gzb
Source: GpUSRuIBHx.dll Static PE information: section name: .fatlss
Source: GpUSRuIBHx.dll Static PE information: section name: .plqa
Source: GpUSRuIBHx.dll Static PE information: section name: .vzt
Source: GpUSRuIBHx.dll Static PE information: section name: .dsbyd
Source: GpUSRuIBHx.dll Static PE information: section name: .cdelc
Source: GpUSRuIBHx.dll Static PE information: section name: .qkhkj
Source: GpUSRuIBHx.dll Static PE information: section name: .mnzegr
Source: GpUSRuIBHx.dll Static PE information: section name: .krw
Source: GpUSRuIBHx.dll Static PE information: section name: .jvsmn
Source: GpUSRuIBHx.dll Static PE information: section name: .bygpq
Source: GpUSRuIBHx.dll Static PE information: section name: .kzdbu
Source: GpUSRuIBHx.dll Static PE information: section name: .mwxorn
Source: GpUSRuIBHx.dll Static PE information: section name: .raf
Source: GpUSRuIBHx.dll Static PE information: section name: .zcyw
Source: GpUSRuIBHx.dll Static PE information: section name: .zeczh
Source: GpUSRuIBHx.dll Static PE information: section name: .pvv
Source: GpUSRuIBHx.dll Static PE information: section name: .lug
Source: GpUSRuIBHx.dll Static PE information: section name: .ski
Source: GpUSRuIBHx.dll Static PE information: section name: .japjd
Source: GpUSRuIBHx.dll Static PE information: section name: .mwtzml
Source: GpUSRuIBHx.dll Static PE information: section name: .vgssf
Source: GpUSRuIBHx.dll Static PE information: section name: .gsroye
Source: GpUSRuIBHx.dll Static PE information: section name: .vcmr
Source: GpUSRuIBHx.dll Static PE information: section name: .kvjqnl
Source: GpUSRuIBHx.dll Static PE information: section name: .ikzlp
Source: GpUSRuIBHx.dll Static PE information: section name: .adsxi
Source: FileHistory.exe.4.dr Static PE information: section name: .nep
Source: ProximityUxHost.exe.4.dr Static PE information: section name: .imrsiv
Source: omadmclient.exe.4.dr Static PE information: section name: .didat
Source: consent.exe.4.dr Static PE information: section name: .didat
Source: consent.exe.4.dr Static PE information: section name: consent
Source: SndVol.exe.4.dr Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr Static PE information: section name: .didat
Source: Utilman.exe.4.dr Static PE information: section name: .imrsiv
Source: phoneactivate.exe.4.dr Static PE information: section name: .imrsiv
Source: DmNotificationBroker.exe.4.dr Static PE information: section name: .imrsiv
Source: XmlLite.dll.4.dr Static PE information: section name: .vxl
Source: XmlLite.dll.4.dr Static PE information: section name: .qwubgr
Source: XmlLite.dll.4.dr Static PE information: section name: .eer
Source: XmlLite.dll.4.dr Static PE information: section name: .xwwauf
Source: XmlLite.dll.4.dr Static PE information: section name: .pkc
Source: XmlLite.dll.4.dr Static PE information: section name: .npkda
Source: XmlLite.dll.4.dr Static PE information: section name: .vhs
Source: XmlLite.dll.4.dr Static PE information: section name: .iaywj
Source: XmlLite.dll.4.dr Static PE information: section name: .nasi
Source: XmlLite.dll.4.dr Static PE information: section name: .zhvprh
Source: XmlLite.dll.4.dr Static PE information: section name: .yatdsp
Source: XmlLite.dll.4.dr Static PE information: section name: .njso
Source: XmlLite.dll.4.dr Static PE information: section name: .lgliat
Source: XmlLite.dll.4.dr Static PE information: section name: .ntqjh
Source: XmlLite.dll.4.dr Static PE information: section name: .sucsek
Source: XmlLite.dll.4.dr Static PE information: section name: .qsxjui
Source: XmlLite.dll.4.dr Static PE information: section name: .twctcm
Source: XmlLite.dll.4.dr Static PE information: section name: .nms
Source: XmlLite.dll.4.dr Static PE information: section name: .ogj
Source: XmlLite.dll.4.dr Static PE information: section name: .vrkgb
Source: XmlLite.dll.4.dr Static PE information: section name: .gikfw
Source: XmlLite.dll.4.dr Static PE information: section name: .ktl
Source: XmlLite.dll.4.dr Static PE information: section name: .crcn
Source: XmlLite.dll.4.dr Static PE information: section name: .wtfr
Source: XmlLite.dll.4.dr Static PE information: section name: .hep
Source: XmlLite.dll.4.dr Static PE information: section name: .ywg
Source: XmlLite.dll.4.dr Static PE information: section name: .sqsp
Source: XmlLite.dll.4.dr Static PE information: section name: .gzb
Source: XmlLite.dll.4.dr Static PE information: section name: .fatlss
Source: XmlLite.dll.4.dr Static PE information: section name: .plqa
Source: XmlLite.dll.4.dr Static PE information: section name: .vzt
Source: XmlLite.dll.4.dr Static PE information: section name: .dsbyd
Source: XmlLite.dll.4.dr Static PE information: section name: .cdelc
Source: XmlLite.dll.4.dr Static PE information: section name: .qkhkj
Source: XmlLite.dll.4.dr Static PE information: section name: .mnzegr
Source: XmlLite.dll.4.dr Static PE information: section name: .krw
Source: XmlLite.dll.4.dr Static PE information: section name: .jvsmn
Source: XmlLite.dll.4.dr Static PE information: section name: .bygpq
Source: XmlLite.dll.4.dr Static PE information: section name: .kzdbu
Source: XmlLite.dll.4.dr Static PE information: section name: .mwxorn
Source: XmlLite.dll.4.dr Static PE information: section name: .raf
Source: XmlLite.dll.4.dr Static PE information: section name: .zcyw
Source: XmlLite.dll.4.dr Static PE information: section name: .zeczh
Source: XmlLite.dll.4.dr Static PE information: section name: .pvv
Source: XmlLite.dll.4.dr Static PE information: section name: .lug
Source: XmlLite.dll.4.dr Static PE information: section name: .ski
Source: XmlLite.dll.4.dr Static PE information: section name: .japjd
Source: XmlLite.dll.4.dr Static PE information: section name: .mwtzml
Source: XmlLite.dll.4.dr Static PE information: section name: .vgssf
Source: XmlLite.dll.4.dr Static PE information: section name: .gsroye
Source: XmlLite.dll.4.dr Static PE information: section name: .vcmr
Source: XmlLite.dll.4.dr Static PE information: section name: .kvjqnl
Source: XmlLite.dll.4.dr Static PE information: section name: .ikzlp
Source: XmlLite.dll.4.dr Static PE information: section name: .adsxi
Source: XmlLite.dll.4.dr Static PE information: section name: .gzc
Source: UxTheme.dll.4.dr Static PE information: section name: .vxl
Source: UxTheme.dll.4.dr Static PE information: section name: .qwubgr
Source: UxTheme.dll.4.dr Static PE information: section name: .eer
Source: UxTheme.dll.4.dr Static PE information: section name: .xwwauf
Source: UxTheme.dll.4.dr Static PE information: section name: .pkc
Source: UxTheme.dll.4.dr Static PE information: section name: .npkda
Source: UxTheme.dll.4.dr Static PE information: section name: .vhs
Source: UxTheme.dll.4.dr Static PE information: section name: .iaywj
Source: UxTheme.dll.4.dr Static PE information: section name: .nasi
Source: UxTheme.dll.4.dr Static PE information: section name: .zhvprh
Source: UxTheme.dll.4.dr Static PE information: section name: .yatdsp
Source: UxTheme.dll.4.dr Static PE information: section name: .njso
Source: UxTheme.dll.4.dr Static PE information: section name: .lgliat
Source: UxTheme.dll.4.dr Static PE information: section name: .ntqjh
Source: UxTheme.dll.4.dr Static PE information: section name: .sucsek
Source: UxTheme.dll.4.dr Static PE information: section name: .qsxjui
Source: UxTheme.dll.4.dr Static PE information: section name: .twctcm
Source: UxTheme.dll.4.dr Static PE information: section name: .nms
Source: UxTheme.dll.4.dr Static PE information: section name: .ogj
Source: UxTheme.dll.4.dr Static PE information: section name: .vrkgb
Source: UxTheme.dll.4.dr Static PE information: section name: .gikfw
Source: UxTheme.dll.4.dr Static PE information: section name: .ktl
Source: UxTheme.dll.4.dr Static PE information: section name: .crcn
Source: UxTheme.dll.4.dr Static PE information: section name: .wtfr
Source: UxTheme.dll.4.dr Static PE information: section name: .hep
Source: UxTheme.dll.4.dr Static PE information: section name: .ywg
Source: UxTheme.dll.4.dr Static PE information: section name: .sqsp
Source: UxTheme.dll.4.dr Static PE information: section name: .gzb
Source: UxTheme.dll.4.dr Static PE information: section name: .fatlss
Source: UxTheme.dll.4.dr Static PE information: section name: .plqa
Source: UxTheme.dll.4.dr Static PE information: section name: .vzt
Source: UxTheme.dll.4.dr Static PE information: section name: .dsbyd
Source: UxTheme.dll.4.dr Static PE information: section name: .cdelc
Source: UxTheme.dll.4.dr Static PE information: section name: .qkhkj
Source: UxTheme.dll.4.dr Static PE information: section name: .mnzegr
Source: UxTheme.dll.4.dr Static PE information: section name: .krw
Source: UxTheme.dll.4.dr Static PE information: section name: .jvsmn
Source: UxTheme.dll.4.dr Static PE information: section name: .bygpq
Source: UxTheme.dll.4.dr Static PE information: section name: .kzdbu
Source: UxTheme.dll.4.dr Static PE information: section name: .mwxorn
Source: UxTheme.dll.4.dr Static PE information: section name: .raf
Source: UxTheme.dll.4.dr Static PE information: section name: .zcyw
Source: UxTheme.dll.4.dr Static PE information: section name: .zeczh
Source: UxTheme.dll.4.dr Static PE information: section name: .pvv
Source: UxTheme.dll.4.dr Static PE information: section name: .lug
Source: UxTheme.dll.4.dr Static PE information: section name: .ski
Source: UxTheme.dll.4.dr Static PE information: section name: .japjd
Source: UxTheme.dll.4.dr Static PE information: section name: .mwtzml
Source: UxTheme.dll.4.dr Static PE information: section name: .vgssf
Source: UxTheme.dll.4.dr Static PE information: section name: .gsroye
Source: UxTheme.dll.4.dr Static PE information: section name: .vcmr
Source: UxTheme.dll.4.dr Static PE information: section name: .kvjqnl
Source: UxTheme.dll.4.dr Static PE information: section name: .ikzlp
Source: UxTheme.dll.4.dr Static PE information: section name: .adsxi
Source: UxTheme.dll.4.dr Static PE information: section name: .rem
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vxl
Source: WMsgAPI.dll.4.dr Static PE information: section name: .qwubgr
Source: WMsgAPI.dll.4.dr Static PE information: section name: .eer
Source: WMsgAPI.dll.4.dr Static PE information: section name: .xwwauf
Source: WMsgAPI.dll.4.dr Static PE information: section name: .pkc
Source: WMsgAPI.dll.4.dr Static PE information: section name: .npkda
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vhs
Source: WMsgAPI.dll.4.dr Static PE information: section name: .iaywj
Source: WMsgAPI.dll.4.dr Static PE information: section name: .nasi
Source: WMsgAPI.dll.4.dr Static PE information: section name: .zhvprh
Source: WMsgAPI.dll.4.dr Static PE information: section name: .yatdsp
Source: WMsgAPI.dll.4.dr Static PE information: section name: .njso
Source: WMsgAPI.dll.4.dr Static PE information: section name: .lgliat
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ntqjh
Source: WMsgAPI.dll.4.dr Static PE information: section name: .sucsek
Source: WMsgAPI.dll.4.dr Static PE information: section name: .qsxjui
Source: WMsgAPI.dll.4.dr Static PE information: section name: .twctcm
Source: WMsgAPI.dll.4.dr Static PE information: section name: .nms
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ogj
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vrkgb
Source: WMsgAPI.dll.4.dr Static PE information: section name: .gikfw
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ktl
Source: WMsgAPI.dll.4.dr Static PE information: section name: .crcn
Source: WMsgAPI.dll.4.dr Static PE information: section name: .wtfr
Source: WMsgAPI.dll.4.dr Static PE information: section name: .hep
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ywg
Source: WMsgAPI.dll.4.dr Static PE information: section name: .sqsp
Source: WMsgAPI.dll.4.dr Static PE information: section name: .gzb
Source: WMsgAPI.dll.4.dr Static PE information: section name: .fatlss
Source: WMsgAPI.dll.4.dr Static PE information: section name: .plqa
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vzt
Source: WMsgAPI.dll.4.dr Static PE information: section name: .dsbyd
Source: WMsgAPI.dll.4.dr Static PE information: section name: .cdelc
Source: WMsgAPI.dll.4.dr Static PE information: section name: .qkhkj
Source: WMsgAPI.dll.4.dr Static PE information: section name: .mnzegr
Source: WMsgAPI.dll.4.dr Static PE information: section name: .krw
Source: WMsgAPI.dll.4.dr Static PE information: section name: .jvsmn
Source: WMsgAPI.dll.4.dr Static PE information: section name: .bygpq
Source: WMsgAPI.dll.4.dr Static PE information: section name: .kzdbu
Source: WMsgAPI.dll.4.dr Static PE information: section name: .mwxorn
Source: WMsgAPI.dll.4.dr Static PE information: section name: .raf
Source: WMsgAPI.dll.4.dr Static PE information: section name: .zcyw
Source: WMsgAPI.dll.4.dr Static PE information: section name: .zeczh
Source: WMsgAPI.dll.4.dr Static PE information: section name: .pvv
Source: WMsgAPI.dll.4.dr Static PE information: section name: .lug
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ski
Source: WMsgAPI.dll.4.dr Static PE information: section name: .japjd
Source: WMsgAPI.dll.4.dr Static PE information: section name: .mwtzml
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vgssf
Source: WMsgAPI.dll.4.dr Static PE information: section name: .gsroye
Source: WMsgAPI.dll.4.dr Static PE information: section name: .vcmr
Source: WMsgAPI.dll.4.dr Static PE information: section name: .kvjqnl
Source: WMsgAPI.dll.4.dr Static PE information: section name: .ikzlp
Source: WMsgAPI.dll.4.dr Static PE information: section name: .adsxi
Source: WMsgAPI.dll.4.dr Static PE information: section name: .fpxo
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vxl
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qwubgr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .eer
Source: WTSAPI32.dll.4.dr Static PE information: section name: .xwwauf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .pkc
Source: WTSAPI32.dll.4.dr Static PE information: section name: .npkda
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vhs
Source: WTSAPI32.dll.4.dr Static PE information: section name: .iaywj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .nasi
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zhvprh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .yatdsp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .njso
Source: WTSAPI32.dll.4.dr Static PE information: section name: .lgliat
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ntqjh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .sucsek
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qsxjui
Source: WTSAPI32.dll.4.dr Static PE information: section name: .twctcm
Source: WTSAPI32.dll.4.dr Static PE information: section name: .nms
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ogj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vrkgb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gikfw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ktl
Source: WTSAPI32.dll.4.dr Static PE information: section name: .crcn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wtfr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .hep
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ywg
Source: WTSAPI32.dll.4.dr Static PE information: section name: .sqsp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gzb
Source: WTSAPI32.dll.4.dr Static PE information: section name: .fatlss
Source: WTSAPI32.dll.4.dr Static PE information: section name: .plqa
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vzt
Source: WTSAPI32.dll.4.dr Static PE information: section name: .dsbyd
Source: WTSAPI32.dll.4.dr Static PE information: section name: .cdelc
Source: WTSAPI32.dll.4.dr Static PE information: section name: .qkhkj
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mnzegr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .krw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .jvsmn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .bygpq
Source: WTSAPI32.dll.4.dr Static PE information: section name: .kzdbu
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mwxorn
Source: WTSAPI32.dll.4.dr Static PE information: section name: .raf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zcyw
Source: WTSAPI32.dll.4.dr Static PE information: section name: .zeczh
Source: WTSAPI32.dll.4.dr Static PE information: section name: .pvv
Source: WTSAPI32.dll.4.dr Static PE information: section name: .lug
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ski
Source: WTSAPI32.dll.4.dr Static PE information: section name: .japjd
Source: WTSAPI32.dll.4.dr Static PE information: section name: .mwtzml
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vgssf
Source: WTSAPI32.dll.4.dr Static PE information: section name: .gsroye
Source: WTSAPI32.dll.4.dr Static PE information: section name: .vcmr
Source: WTSAPI32.dll.4.dr Static PE information: section name: .kvjqnl
Source: WTSAPI32.dll.4.dr Static PE information: section name: .ikzlp
Source: WTSAPI32.dll.4.dr Static PE information: section name: .adsxi
Source: WTSAPI32.dll.4.dr Static PE information: section name: .wrttic
Source: OLEACC.dll.4.dr Static PE information: section name: .vxl
Source: OLEACC.dll.4.dr Static PE information: section name: .qwubgr
Source: OLEACC.dll.4.dr Static PE information: section name: .eer
Source: OLEACC.dll.4.dr Static PE information: section name: .xwwauf
Source: OLEACC.dll.4.dr Static PE information: section name: .pkc
Source: OLEACC.dll.4.dr Static PE information: section name: .npkda
Source: OLEACC.dll.4.dr Static PE information: section name: .vhs
Source: OLEACC.dll.4.dr Static PE information: section name: .iaywj
Source: OLEACC.dll.4.dr Static PE information: section name: .nasi
Source: OLEACC.dll.4.dr Static PE information: section name: .zhvprh
Source: OLEACC.dll.4.dr Static PE information: section name: .yatdsp
Source: OLEACC.dll.4.dr Static PE information: section name: .njso
Source: OLEACC.dll.4.dr Static PE information: section name: .lgliat
Source: OLEACC.dll.4.dr Static PE information: section name: .ntqjh
Source: OLEACC.dll.4.dr Static PE information: section name: .sucsek
Source: OLEACC.dll.4.dr Static PE information: section name: .qsxjui
Source: OLEACC.dll.4.dr Static PE information: section name: .twctcm
Source: OLEACC.dll.4.dr Static PE information: section name: .nms
Source: OLEACC.dll.4.dr Static PE information: section name: .ogj
Source: OLEACC.dll.4.dr Static PE information: section name: .vrkgb
Source: OLEACC.dll.4.dr Static PE information: section name: .gikfw
Source: OLEACC.dll.4.dr Static PE information: section name: .ktl
Source: OLEACC.dll.4.dr Static PE information: section name: .crcn
Source: OLEACC.dll.4.dr Static PE information: section name: .wtfr
Source: OLEACC.dll.4.dr Static PE information: section name: .hep
Source: OLEACC.dll.4.dr Static PE information: section name: .ywg
Source: OLEACC.dll.4.dr Static PE information: section name: .sqsp
Source: OLEACC.dll.4.dr Static PE information: section name: .gzb
Source: OLEACC.dll.4.dr Static PE information: section name: .fatlss
Source: OLEACC.dll.4.dr Static PE information: section name: .plqa
Source: OLEACC.dll.4.dr Static PE information: section name: .vzt
Source: OLEACC.dll.4.dr Static PE information: section name: .dsbyd
Source: OLEACC.dll.4.dr Static PE information: section name: .cdelc
Source: OLEACC.dll.4.dr Static PE information: section name: .qkhkj
Source: OLEACC.dll.4.dr Static PE information: section name: .mnzegr
Source: OLEACC.dll.4.dr Static PE information: section name: .krw
Source: OLEACC.dll.4.dr Static PE information: section name: .jvsmn
Source: OLEACC.dll.4.dr Static PE information: section name: .bygpq
Source: OLEACC.dll.4.dr Static PE information: section name: .kzdbu
Source: OLEACC.dll.4.dr Static PE information: section name: .mwxorn
Source: OLEACC.dll.4.dr Static PE information: section name: .raf
Source: OLEACC.dll.4.dr Static PE information: section name: .zcyw
Source: OLEACC.dll.4.dr Static PE information: section name: .zeczh
Source: OLEACC.dll.4.dr Static PE information: section name: .pvv
Source: OLEACC.dll.4.dr Static PE information: section name: .lug
Source: OLEACC.dll.4.dr Static PE information: section name: .ski
Source: OLEACC.dll.4.dr Static PE information: section name: .japjd
Source: OLEACC.dll.4.dr Static PE information: section name: .mwtzml
Source: OLEACC.dll.4.dr Static PE information: section name: .vgssf
Source: OLEACC.dll.4.dr Static PE information: section name: .gsroye
Source: OLEACC.dll.4.dr Static PE information: section name: .vcmr
Source: OLEACC.dll.4.dr Static PE information: section name: .kvjqnl
Source: OLEACC.dll.4.dr Static PE information: section name: .ikzlp
Source: OLEACC.dll.4.dr Static PE information: section name: .adsxi
Source: OLEACC.dll.4.dr Static PE information: section name: .pvfxo
Source: dwmapi.dll.4.dr Static PE information: section name: .vxl
Source: dwmapi.dll.4.dr Static PE information: section name: .qwubgr
Source: dwmapi.dll.4.dr Static PE information: section name: .eer
Source: dwmapi.dll.4.dr Static PE information: section name: .xwwauf
Source: dwmapi.dll.4.dr Static PE information: section name: .pkc
Source: dwmapi.dll.4.dr Static PE information: section name: .npkda
Source: dwmapi.dll.4.dr Static PE information: section name: .vhs
Source: dwmapi.dll.4.dr Static PE information: section name: .iaywj
Source: dwmapi.dll.4.dr Static PE information: section name: .nasi
Source: dwmapi.dll.4.dr Static PE information: section name: .zhvprh
Source: dwmapi.dll.4.dr Static PE information: section name: .yatdsp
Source: dwmapi.dll.4.dr Static PE information: section name: .njso
Source: dwmapi.dll.4.dr Static PE information: section name: .lgliat
Source: dwmapi.dll.4.dr Static PE information: section name: .ntqjh
Source: dwmapi.dll.4.dr Static PE information: section name: .sucsek
Source: dwmapi.dll.4.dr Static PE information: section name: .qsxjui
Source: dwmapi.dll.4.dr Static PE information: section name: .twctcm
Source: dwmapi.dll.4.dr Static PE information: section name: .nms
Source: dwmapi.dll.4.dr Static PE information: section name: .ogj
Source: dwmapi.dll.4.dr Static PE information: section name: .vrkgb
Source: dwmapi.dll.4.dr Static PE information: section name: .gikfw
Source: dwmapi.dll.4.dr Static PE information: section name: .ktl
Source: dwmapi.dll.4.dr Static PE information: section name: .crcn
Source: dwmapi.dll.4.dr Static PE information: section name: .wtfr
Source: dwmapi.dll.4.dr Static PE information: section name: .hep
Source: dwmapi.dll.4.dr Static PE information: section name: .ywg
Source: dwmapi.dll.4.dr Static PE information: section name: .sqsp
Source: dwmapi.dll.4.dr Static PE information: section name: .gzb
Source: dwmapi.dll.4.dr Static PE information: section name: .fatlss
Source: dwmapi.dll.4.dr Static PE information: section name: .plqa
Source: dwmapi.dll.4.dr Static PE information: section name: .vzt
Source: dwmapi.dll.4.dr Static PE information: section name: .dsbyd
Source: dwmapi.dll.4.dr Static PE information: section name: .cdelc
Source: dwmapi.dll.4.dr Static PE information: section name: .qkhkj
Source: dwmapi.dll.4.dr Static PE information: section name: .mnzegr
Source: dwmapi.dll.4.dr Static PE information: section name: .krw
Source: dwmapi.dll.4.dr Static PE information: section name: .jvsmn
Source: dwmapi.dll.4.dr Static PE information: section name: .bygpq
Source: dwmapi.dll.4.dr Static PE information: section name: .kzdbu
Source: dwmapi.dll.4.dr Static PE information: section name: .mwxorn
Source: dwmapi.dll.4.dr Static PE information: section name: .raf
Source: dwmapi.dll.4.dr Static PE information: section name: .zcyw
Source: dwmapi.dll.4.dr Static PE information: section name: .zeczh
Source: dwmapi.dll.4.dr Static PE information: section name: .pvv
Source: dwmapi.dll.4.dr Static PE information: section name: .lug
Source: dwmapi.dll.4.dr Static PE information: section name: .ski
Source: dwmapi.dll.4.dr Static PE information: section name: .japjd
Source: dwmapi.dll.4.dr Static PE information: section name: .mwtzml
Source: dwmapi.dll.4.dr Static PE information: section name: .vgssf
Source: dwmapi.dll.4.dr Static PE information: section name: .gsroye
Source: dwmapi.dll.4.dr Static PE information: section name: .vcmr
Source: dwmapi.dll.4.dr Static PE information: section name: .kvjqnl
Source: dwmapi.dll.4.dr Static PE information: section name: .ikzlp
Source: dwmapi.dll.4.dr Static PE information: section name: .adsxi
Source: dwmapi.dll.4.dr Static PE information: section name: .fanrx
Source: OLEACC.dll0.4.dr Static PE information: section name: .vxl
Source: OLEACC.dll0.4.dr Static PE information: section name: .qwubgr
Source: OLEACC.dll0.4.dr Static PE information: section name: .eer
Source: OLEACC.dll0.4.dr Static PE information: section name: .xwwauf
Source: OLEACC.dll0.4.dr Static PE information: section name: .pkc
Source: OLEACC.dll0.4.dr Static PE information: section name: .npkda
Source: OLEACC.dll0.4.dr Static PE information: section name: .vhs
Source: OLEACC.dll0.4.dr Static PE information: section name: .iaywj
Source: OLEACC.dll0.4.dr Static PE information: section name: .nasi
Source: OLEACC.dll0.4.dr Static PE information: section name: .zhvprh
Source: OLEACC.dll0.4.dr Static PE information: section name: .yatdsp
Source: OLEACC.dll0.4.dr Static PE information: section name: .njso
Source: OLEACC.dll0.4.dr Static PE information: section name: .lgliat
Source: OLEACC.dll0.4.dr Static PE information: section name: .ntqjh
Source: OLEACC.dll0.4.dr Static PE information: section name: .sucsek
Source: OLEACC.dll0.4.dr Static PE information: section name: .qsxjui
Source: OLEACC.dll0.4.dr Static PE information: section name: .twctcm
Source: OLEACC.dll0.4.dr Static PE information: section name: .nms
Source: OLEACC.dll0.4.dr Static PE information: section name: .ogj
Source: OLEACC.dll0.4.dr Static PE information: section name: .vrkgb
Source: OLEACC.dll0.4.dr Static PE information: section name: .gikfw
Source: OLEACC.dll0.4.dr Static PE information: section name: .ktl
Source: OLEACC.dll0.4.dr Static PE information: section name: .crcn
Source: OLEACC.dll0.4.dr Static PE information: section name: .wtfr
Source: OLEACC.dll0.4.dr Static PE information: section name: .hep
Source: OLEACC.dll0.4.dr Static PE information: section name: .ywg
Source: OLEACC.dll0.4.dr Static PE information: section name: .sqsp
Source: OLEACC.dll0.4.dr Static PE information: section name: .gzb
Source: OLEACC.dll0.4.dr Static PE information: section name: .fatlss
Source: OLEACC.dll0.4.dr Static PE information: section name: .plqa
Source: OLEACC.dll0.4.dr Static PE information: section name: .vzt
Source: OLEACC.dll0.4.dr Static PE information: section name: .dsbyd
Source: OLEACC.dll0.4.dr Static PE information: section name: .cdelc
Source: OLEACC.dll0.4.dr Static PE information: section name: .qkhkj
Source: OLEACC.dll0.4.dr Static PE information: section name: .mnzegr
Source: OLEACC.dll0.4.dr Static PE information: section name: .krw
Source: OLEACC.dll0.4.dr Static PE information: section name: .jvsmn
Source: OLEACC.dll0.4.dr Static PE information: section name: .bygpq
Source: OLEACC.dll0.4.dr Static PE information: section name: .kzdbu
Source: OLEACC.dll0.4.dr Static PE information: section name: .mwxorn
Source: OLEACC.dll0.4.dr Static PE information: section name: .raf
Source: OLEACC.dll0.4.dr Static PE information: section name: .zcyw
Source: OLEACC.dll0.4.dr Static PE information: section name: .zeczh
Source: OLEACC.dll0.4.dr Static PE information: section name: .pvv
Source: OLEACC.dll0.4.dr Static PE information: section name: .lug
Source: OLEACC.dll0.4.dr Static PE information: section name: .ski
Source: OLEACC.dll0.4.dr Static PE information: section name: .japjd
Source: OLEACC.dll0.4.dr Static PE information: section name: .mwtzml
Source: OLEACC.dll0.4.dr Static PE information: section name: .vgssf
Source: OLEACC.dll0.4.dr Static PE information: section name: .gsroye
Source: OLEACC.dll0.4.dr Static PE information: section name: .vcmr
Source: OLEACC.dll0.4.dr Static PE information: section name: .kvjqnl
Source: OLEACC.dll0.4.dr Static PE information: section name: .ikzlp
Source: OLEACC.dll0.4.dr Static PE information: section name: .adsxi
Source: OLEACC.dll0.4.dr Static PE information: section name: .rqsht
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vxl
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .qwubgr
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .eer
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .xwwauf
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .pkc
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .npkda
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vhs
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .iaywj
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .nasi
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .zhvprh
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .yatdsp
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .njso
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .lgliat
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .ntqjh
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .sucsek
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .qsxjui
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .twctcm
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .nms
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .ogj
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vrkgb
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .gikfw
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .ktl
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .crcn
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .wtfr
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .hep
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .ywg
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .sqsp
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .gzb
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .fatlss
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .plqa
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vzt
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .dsbyd
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .cdelc
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .qkhkj
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .mnzegr
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .krw
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .jvsmn
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .bygpq
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .kzdbu
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .mwxorn
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .raf
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .zcyw
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .zeczh
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .pvv
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .lug
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .ski
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .japjd
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .mwtzml
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vgssf
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .gsroye
Source: WTSAPI32.dll0.4.dr Static PE information: section name: .vcmr
Binary contains a suspicious time stamp
Source: FileHistory.exe.4.dr Static PE information: 0xFAD0FCA2 [Mon May 7 16:56:02 2103 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Fjrn\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\l5T\omadmclient.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\G6gv6e\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oOQGGow\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Kyz7D\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Ui9PsZ9\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\l5T\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\6f22a\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\G6gv6e\AtBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\rDAhA\consent.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\LoReH\OLEACC.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\op5PCy\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\D6R1uM\DUser.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\CSYG\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADA4B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep, 20_2_00007FF7BADA4B74
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3FDE78 IsWindowVisible,ShowWindow,IsZoomed,ShowWindow,SendMessageW,SendMessageW,IsIconic,OpenIcon,IsWindowVisible, 25_2_00007FF70C3FDE78
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F7800 FindWindowW,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,IsIconic,OpenIcon,SetForegroundWindow,GetLastError, 25_2_00007FF70C3F7800
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3FF79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon, 25_2_00007FF70C3FF79C
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3FF79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon, 25_2_00007FF70C3FF79C
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C3F3078 IsWindowVisible,IsIconic,DwmGetWindowAttribute, 25_2_00007FF70C3F3078
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADB3F94 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 20_2_00007FF7BADB3F94
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5312 Thread sleep count: 82 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\G6gv6e\AtBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\rDAhA\consent.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe API coverage: 1.1 %
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe API coverage: 0.4 %
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe API coverage: 1.7 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA62DDC0 GetSystemInfo, 0_2_00007FF8BA62DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA62ED10 FindFirstFileExW, 0_2_00007FF8BA62ED10
Source: explorer.exe, 00000004.00000000.363965361.0000000006389000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.357470448.0000000004150000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
Source: explorer.exe, 00000004.00000000.399765153.0000000007D2A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00Iy
Source: explorer.exe, 00000004.00000000.396224901.0000000006243000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000004.00000000.399635685.0000000007CC2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB21D0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 22_2_00007FF6C1BB21D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BB2F20 GetCurrentThreadId,GetProcessHeap,HeapAlloc, 22_2_00007FF6C1BB2F20
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA6197D0 LdrLoadDll,FindClose, 0_2_00007FF8BA6197D0
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF6D0A37570 SetUnhandledExceptionFilter, 18_2_00007FF6D0A37570
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF6D0A377EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF6D0A377EC
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADC2610 SetUnhandledExceptionFilter, 20_2_00007FF7BADC2610
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADC292C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF7BADC292C
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BCF2E0 SetUnhandledExceptionFilter, 22_2_00007FF6C1BCF2E0
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BCEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_00007FF6C1BCEE40
Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe Code function: 25_2_00007FF70C41DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF70C41DF84
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F3D918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF6A3F3D918

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: FileHistory.exe.4.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF8DBF4EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF8DBF4E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF8D94B2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BBA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 22_2_00007FF6C1BBA5C8
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: 22_2_00007FF6C1BBA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 22_2_00007FF6C1BBA5C8
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 Jump to behavior
Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerG
Source: explorer.exe, 00000004.00000000.427164011.0000000007C08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.362144319.0000000005920000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.390164378.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.354278692.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.410505751.0000000000628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanPV*
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Queries volume information: C:\Users\user\AppData\Local\6f22a\FileHistory.exe VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free, 22_2_00007FF6C1BC9EF4
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exe Code function: 18_2_00007FF6D0A37704 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 18_2_00007FF6D0A37704
Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe Code function: 20_2_00007FF7BADBD63C GetVersionExW, 20_2_00007FF7BADBD63C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FF8BA619400 GetUserNameW, 0_2_00007FF8BA619400
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe Code function: 28_2_00007FF6A3F27390 CreateBindCtx,StringFromGUID2,CoTaskMemAlloc,~SyncLockT,memcpy,MkParseDisplayName,~SyncLockT, 28_2_00007FF6A3F27390
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 595305 Sample: GpUSRuIBHx Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 43 canonicalizer.ucsuri.tcs 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures6 57 Changes memory attributes in foreign processes to executable or writable 11->57 59 Uses Atom Bombing / ProGate to inject into other processes 11->59 61 Queues an APC in another process (thread injection) 11->61 20 explorer.exe 2 75 11->20 injected 24 rundll32.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\WMsgAPI.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\dwmapi.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\SndVol.exe, PE32+ 20->39 dropped 41 26 other files (7 malicious) 20->41 dropped 53 Benign windows process drops PE files 20->53 26 SndVol.exe 20->26         started        29 rdpinput.exe 20->29         started        31 FileHistory.exe 1 20->31         started        33 21 other processes 20->33 signatures9 process10 signatures11 55 Contains functionality to automate explorer (e.g. start an application) 26->55
No contacted IP infos

Contacted Domains

Name IP Active
dual-a-0001.a-msedge.net 204.79.197.200 true
canonicalizer.ucsuri.tcs unknown unknown