Windows Analysis Report
AyCnklzHb7.dll

Overview

General Information

Sample name: AyCnklzHb7.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name: 32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42.exe
Analysis ID: 1543073
MD5: 3c9121d5389ae5b87885261c3efdf6da
SHA1: 0f6fb000293f957b4f0fc91540cfce6a1c07f63c
SHA256: 32f82fc72003ea760425630e2c6a998f5c89d85e8a4adff669c24da0ef15ef42
Tags: exeuser-JAMESWT_MHT
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Source: AyCnklzHb7.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: Binary string: pnidui.pdbUGP source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \ICS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\SearchRecover.pdb( source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: "0\7to\apphelp\Release\injectdll.pdbR source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Wallpaper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\IrCS_Release\Setup.pdb/ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \SearchRecover.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\BLDService.pdb6 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\ICS_Release\Setup.pdb9 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \IrCS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \bbcomm.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 90\work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb= source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\bbhelper.pdb$ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\setupplugins.pdb& source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \bbhelper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \WallpaperInstall\release\WallpaperInstall.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0 \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb% source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Wallpaper.pdbG source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \setupplugins.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\bbcomm.pdb2 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\weiduan.pdb+ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \BLDService.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\ExtWatcher.pdbB source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: pnidui.pdb source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \weiduan.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: .0\WallpaperInstall\release\WallpaperInstall.pdbb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \ExtWatcher.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \7to\apphelp\Release\injectdll.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d#
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll String found in binary or memory: http://95.143.193.138/xxxx_3/
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll String found in binary or memory: http://95.143.193.138/xxxx_3/6
Source: AyCnklzHb7.dll String found in binary or memory: http://get.fc-gosh.biz/launch_reb.php?
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe String found in binary or memory: http://www.msftconnecttest.com/redirect
Source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll String found in binary or memory: http://www.msftconnecttest.com/redirectSYSTEM
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB75EA88 NtQueryWnfStateData,free,RtlSubscribeWnfStateChangeNotification,free, 6_2_00007FFDFB75EA88
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB72C020 GetCurrentProcessId,ProcessIdToSessionId,EnterCriticalSection,memset,NtQueryWnfStateData,RtlSubscribeWnfStateChangeNotification,LeaveCriticalSection,GetLastError,LeaveCriticalSection,EnterCriticalSection,CompareFileTime,CompareFileTime,LeaveCriticalSection,LeaveCriticalSection, 6_2_00007FFDFB72C020
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB75E76C NtQueryInformationToken,NtQueryInformationToken, 6_2_00007FFDFB75E76C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB7496BC NtQueryWnfStateData,CoTaskMemAlloc,NtQueryWnfStateData,CoTaskMemFree, 6_2_00007FFDFB7496BC
Contains functionality to shutdown / reboot the system
Source: C:\Windows\System32\rundll32.exe Code function: GetCurrentThreadId,GetTickCount,LoadLibraryExW,memset,wcstombs,GetProcAddress,GetTickCount,FreeLibrary,GetLastError,GetLastError,memset,swprintf_s,free,wcscpy_s,CreateProcessW,CloseHandle,CloseHandle,GetLastError, Shutdown 6_2_00007FFDFB7289E0
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB728BF0 6_2_00007FFDFB728BF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB72A3F0 6_2_00007FFDFB72A3F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB72A370 6_2_00007FFDFB72A370
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB729B20 6_2_00007FFDFB729B20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB75335C 6_2_00007FFDFB75335C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB724240 6_2_00007FFDFB724240
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB7218F0 6_2_00007FFDFB7218F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB764134 6_2_00007FFDFB764134
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB7257D0 6_2_00007FFDFB7257D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB7627D0 6_2_00007FFDFB7627D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB74C690 6_2_00007FFDFB74C690
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB762DD8 6_2_00007FFDFB762DD8
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 420
PE file contains executable resources (Code or Archives)
Source: AyCnklzHb7.dll Static PE information: Resource name: RT_ICON type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: AyCnklzHb7.dll Binary or memory string: OriginalFilenamePNIDUI.DLLj% vs AyCnklzHb7.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\fastprox.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\biwinrt.dllore.dllng
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\ntdll.dll.mui.0r
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM49.lexe.lex\ChsChsPinyinHap_s.lex
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\ndis.sys.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows.old\Windows\WinSxS\Tempe.exee1
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\crypt32.dll.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SyncCenter.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\stobject.dllprofile;
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\MosStorage.dllll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ucrtbase_clr0400.dllF-
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Mythware\
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ClipRenew.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows.old\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.906_none_6530c5981102f17fbwere.dat
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dllllstem32\WindowsPowerShell\v
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\rundll32.exe.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\icuuc.dlles
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\INF\kdnic.PNFrStore\zh-CNcat
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dllrfaceCl
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\ClipSp.sysPCI#
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\WofUtil.dll\EdgeCorei
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\WSDApi.dllcbda2}\0004010
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllrogramDataPublic=C:\Users\Pu
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\authui.dllllost.exetificados CGN V20P
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\acpi.sys.mui
Source: AyCnklzHb7.dll Binary string: S-1-5-21-582503613-890440277-4174216604-1001\Device\HarddiskVolume3\Windows\System32\GameBarPresenceWriter.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dllxyewy3d8bbwe+
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dll.dllA6
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dlla90-b076-33f57bf4eaa7}\#0}\#KBD
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~zh-CN~10.0.19041.1.mum35~amd64~~10.0.19041.1.mum\3\g95]_F_
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\processr.sys.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\NcdAutoSetup.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\LogFiles\WMI\IntelA
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exeiF
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\mssecflt.sysle
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Huorong\Sysdiag\wlfile.db-shm
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\D3D12.dll0c75d6}\0008
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\thumbcache.dlls.dlll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SleepStudyScreenOn
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Users\
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mummlep-UqQSqnMp-FI[1].css.pngw
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\batmeter.dlldll8f69f
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dll3 G30N
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.79\identity_proxy\internal.identity_helper.exe.manifestD39FCE23AF8F277537F2613.scale-100_
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\fdPHost.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dllmprofile+
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\WfNicPnp64.sysnterfaceClass\{97EBAACB-95BD-11D0-A3EA-00A0C9223196}InterfaceClass\{3C4852D6-D47B-4F46-B05E-B5EDC1AA440
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllON=a503ProgramData=C:\Progra
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\mobsync.exeWERTemp
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows.old\Windows\System32\wbemgmp
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\BitsProxy.dll.dllLL
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\IntelTA.syslas
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\imageres.dlllure.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\zh-CN\mssmbios.sys.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\INF\rt640x64.inforezh-CNcat
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM49.lex.lexcontrast-white.pngdll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\netcenter.dllftdll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Microsoft\Protectui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\appcompat\ProgramsbowsApps
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\cscui.dll.muiat
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\servicing\Packages\Microsoft-Windows-WinOcr-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.mumV\3\g
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dllD$
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\wmilib.sysF5-6
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\pcw.sysCA-84AE
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\icu.dllup.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\acpiex.sys1_V
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\dxgiadaptercache.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exel
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\BitLockerWizardElev.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\Start Menu
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wbemess.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\fontgroupsoverride.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SettingMonitor.dllll6
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\srpapi.dllSLSApps
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\AuthBroker.dll.dllb
Source: AyCnklzHb7.dll Binary string: S-1-5-19\Device\HarddiskVolume3\Windows\System32\svchost.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\WinSxS\Manifests\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_51704e630f46ca5c.manifest
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\AppReadinessimeBroker.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\sxs.dll.muixeL.c
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinDM06.lex.CBS_cw5n1h2txyewy\d2d1.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dllkages
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\wmp.dllTempgesTemp7<
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.UI.Shell.dllApplicationCA2 Root0
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\WPDShServiceObj.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dlldllewywywyti
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.prie7$\Default
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\crypttpmeksvc.dll5FC59
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\shdocvw.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SoftwareDistribution\PostRebootEventCache.V2e\Scheduled Start
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\InprocLogger.dlllf
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\DXCore.dllsicDisplay.sys
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\bitsigd.dlldll.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dll11d2-b082-00a0c91efb8b}\#r#or
Source: AyCnklzHb7.dll Binary string: f\DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MYTHWARE\
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\deviceassociation.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\AppRepository
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dllfb-MaxSessions
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SyncInfrastructure.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\dbghelp.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dllALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Windows\system32\config\systemprofile\AppData\RoamingCommonPr
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dllem32;C:\Windows;C:\Windows\Sy
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ProximityServicePal.dll-9409-add3064c0cad}\#color##
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\mlang.dll3F8646}
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\stobject.dll.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\batmeter.dll.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files\desktop.inidlle.dlls%
Source: AyCnklzHb7.dll Binary string: ..\DEVICE\HARDDISKVOLUME31Y
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\SgrmAgent.sys_9BC8CompatibleId\PCI#VEN_8086&DEV_A382CompatibleId\PCI#VEN_8086&DEV_A396CompatibleId\PCI#VEN_8086&DEV_A3A1Compatiblenterface
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\dsreg.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrccache\en-US\ec4d5fdd-aa12-400f-83e2-7b0ea6023eb7\SoftwareInfo\SoftwareInfo.xml
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\NetSetupApi.dll4B3B-B7
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ncryptprov.dlls.dllatcho
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\RuntimeBroker.exe.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Networkte\Log9f
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\webservices.dll}\0004
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\wbemed.exebled.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\AutoRecover\0004
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ktmw32.dllShell.dllt
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\sxs.dll.muiL.0"
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\pwahelper.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\oobe\msoobedui.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\iphlpsvc.dllves.dllCS
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\srchadmin.dllwsAppse
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.79\Trust Protection Lists\Mu:$DSC:$LOGGED_UTILITY_STREAMBLE_
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ActionCenter.dllLL
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\explorer.exeg.dlllework.dll)0
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.prial_cw5n1h2txyewyies
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SettingMonitor.dllt
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\mobsync.exeWER\Tempg
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\aadWamExtension.dllll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\EdgeManager.dll.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\resources.zh-CN.pri-3e7$\Default
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AAD.Core.dllService-0x0-3e7$\DefaultD
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\bcastdvr\KnownGameList.binllSzo
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\bcastdvrzh-HANSUI.Shell.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB2808e.cdf-ms9a3ceb6c.manifestt
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wmiutils.dll008
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.79\libGLESv2.dll:WofCompressedData
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\pnidui.dllkagesR
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ncryptsslp.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\InputMethod\CHS\ChsPinyinFamilyName.lex\ChsChsPinyinHap_s.lex
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.UI.Shell.dll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows.old\ProgramDatas (x86)ftpsl
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\Windows.Media.Devices.dllerationId
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\twinui.dll.mui6
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\ActionCenter.dllester0
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\wscapi.dlllrt.dlll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\aadWamExtension.dll1pn
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\SecureTimeAggregator.dllSystemRoot=C:\WindowsSystemDrive=C:WinDir=C:\WindowsCommonProgramFile
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\Logs\CBS\CBS.logSlller.exe
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\StateRepository.Core.dllem32\config\systemprofilewind
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\AudioSrvPolicyManager.dllerationId
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\msftedit.dlle\common
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpolSysTray
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\cscobj.dllysdiag\bin
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\icuin.dllws\wfp
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\fdWSD.dllI.dllll
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\MCCSPal.dllll.mui
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\ProgramData\Huorong\Sysdiag\db\behav.db
Source: AyCnklzHb7.dll Binary string: \Device\HarddiskVolume3\Windows\System32\zh-CN\kernel32.dll.mui
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll Binary or memory string: \BurnameDoxe.vbp
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll Binary or memory string: 0\BurnameDoxe.vbp 0\BurnameDoxe.vbp%
Source: classification engine Classification label: clean9.winDLL@15/5@1/0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB761A94 CoCreateInstance, 6_2_00007FFDFB761A94
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7448
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c7f2ebc2-0365-4122-9168-4c8cc2224e09 Jump to behavior
Source: AyCnklzHb7.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\AyCnklzHb7.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 420
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\AyCnklzHb7.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: AyCnklzHb7.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: AyCnklzHb7.dll Static file information: File size 2177024 > 1048576
Source: AyCnklzHb7.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b5a00
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: AyCnklzHb7.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Source: AyCnklzHb7.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: pnidui.pdbUGP source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \ICS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\SearchRecover.pdb( source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: "0\7to\apphelp\Release\injectdll.pdbR source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Wallpaper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\IrCS_Release\Setup.pdb/ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \SearchRecover.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\BLDService.pdb6 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\ICS_Release\Setup.pdb9 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \IrCS_Release\Setup.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \bbcomm.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 90\work\urlgl\driver2\objfre_wxp_x86\i386\MekeAttManage.pdb= source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\bbhelper.pdb$ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\setupplugins.pdb& source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \bbhelper.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \WallpaperInstall\release\WallpaperInstall.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0 \magadan21\loader\objfre_wxp_x86\i386\Loader.pdb% source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Wallpaper.pdbG source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \setupplugins.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\bbcomm.pdb2 source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\weiduan.pdb+ source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \BLDService.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: 0\ExtWatcher.pdbB source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: pnidui.pdb source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \weiduan.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: .0\WallpaperInstall\release\WallpaperInstall.pdbb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \ExtWatcher.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \Release\Laban.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: Binary string: \7to\apphelp\Release\injectdll.pdb source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll
Source: AyCnklzHb7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AyCnklzHb7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AyCnklzHb7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AyCnklzHb7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AyCnklzHb7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: AyCnklzHb7.dll Static PE information: 0xF8230CE3 [Sat Dec 3 09:50:27 2101 UTC]
PE file contains an invalid checksum
Source: AyCnklzHb7.dll Static PE information: real checksum: 0x220b18 should be: 0x218b28
PE file contains sections with non-standard names
Source: AyCnklzHb7.dll Static PE information: section name: .didat
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\AyCnklzHb7.dll
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 7304 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB7217E0 ActivateActCtx,GetClassInfoExW,GetLastError,DeactivateActCtx,SetLastError,OutputDebugStringA,GetLastError, 6_2_00007FFDFB7217E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB72A3F0 memset,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 6_2_00007FFDFB72A3F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB72E144 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FFDFB72E144
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\AyCnklzHb7.dll",#1 Jump to behavior
Source: rundll32.exe Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000006.00000002.1854222306.00007FFDFB767000.00000002.00000001.01000000.00000003.sdmp, AyCnklzHb7.dll Binary or memory string: \Comctl32.dllShell_TrayWndNetwork FlyoutAtlThunk_FreeDataAtlThunk_DataToCodeAtlThunk_InitDataAtlThunk_AllocateDataatlthunk.dllWilStaging_02
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00007FFDFB724240 EnterCriticalSection,EnterCriticalSection,ConvertInterfaceGuidToLuid,GetIfEntry2Ex,LeaveCriticalSection,LeaveCriticalSection,OpenSCManagerW,OpenServiceW,CloseServiceHandle,QueryServiceStatus,SubscribeServiceChangeNotifications,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,ConvertInterfaceGuidToLuid,GetIfEntry2Ex,LeaveCriticalSection,CreateThreadpoolTimer,GetSystemTimeAsFileTime,SetThreadpoolTimer,GetLastError,GetLastError,GetLastError,CloseServiceHandle,PostMessageW,GetLastError, 6_2_00007FFDFB724240
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000006.00000002.1854261533.00007FFDFB7C1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: KSafeTray.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543073 Sample: AyCnklzHb7.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 9 21 198.187.3.20.in-addr.arpa 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 WerFault.exe 20 16 9->17         started        19 rundll32.exe 11->19         started       
No contacted IP infos

Contacted Domains

Name IP Active
198.187.3.20.in-addr.arpa unknown unknown