Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
desaremix.exe

Overview

General Information

Sample name:desaremix.exe
Analysis ID:1631383
MD5:798f093399cdacd81114c62c8a88f7ac
SHA1:d6e0e7925578a202945a2da15176e158fe85b619
SHA256:03834e6c7a8bac7bb283f0ffca293cda50b4547237cc32c8b6e16501771cb705
Tags:exegdimbrkillertrojanuser-2huMarisa
Infos:

Detection

KillMBR
Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected KillMBR
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Deletes itself after installation
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Infects the VBR (Volume Boot Record) of the hard disk
Joe Sandbox ML detected suspicious sample
Protects its processes via BreakOnTermination flag
Tries to detect virtualization through RDTSC time measurements
Writes directly to the primary disk partition (DR0)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • desaremix.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\desaremix.exe" MD5: 798F093399CDACD81114C62C8A88F7AC)
    • ????????????????.exe (PID: 7420 cmdline: "C:\Users\user\AppData\Local\Temp\????????????????.exe" MD5: 798F093399CDACD81114C62C8A88F7AC)
      • notepad.exe (PID: 7796 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini MD5: E92D3A824A0578A50D2DD81B5060145F)
      • notepad.exe (PID: 8236 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.ini MD5: E92D3A824A0578A50D2DD81B5060145F)
      • notepad.exe (PID: 8276 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.ini MD5: E92D3A824A0578A50D2DD81B5060145F)
      • notepad.exe (PID: 8772 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini MD5: E92D3A824A0578A50D2DD81B5060145F)
      • WINWORD.EXE (PID: 8808 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
      • WINWORD.EXE (PID: 8816 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
      • notepad.exe (PID: 5724 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini MD5: E92D3A824A0578A50D2DD81B5060145F)
      • EXCEL.EXE (PID: 8744 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" MD5: 4A871771235598812032C822E6F68F19)
      • EXCEL.EXE (PID: 1284 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" MD5: 4A871771235598812032C822E6F68F19)
      • WINWORD.EXE (PID: 8372 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
      • WINWORD.EXE (PID: 5696 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
      • EXCEL.EXE (PID: 932 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx" MD5: 4A871771235598812032C822E6F68F19)
      • EXCEL.EXE (PID: 940 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx" MD5: 4A871771235598812032C822E6F68F19)
      • EXCEL.EXE (PID: 6232 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx" MD5: 4A871771235598812032C822E6F68F19)
      • EXCEL.EXE (PID: 6196 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx" MD5: 4A871771235598812032C822E6F68F19)
      • hh.exe (PID: 6220 cmdline: "C:\Windows\hh.exe" C:\Program Files\7-Zip\7-zip.chm MD5: 2C8FE78D53C8CA27523A71DFD2938241)
      • 7z.exe (PID: 6376 cmdline: "C:\Program Files\7-Zip\7z.exe" MD5: 9A1DD1D96481D61934DCC2D568971D06)
        • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Music.UI.exe (PID: 2908 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca MD5: F963F75C0AD152437E10D656A00793A3)
  • rundll32.exe (PID: 8700 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: desaremix.exe PID: 7400JoeSecurity_KillMBRYara detected KillMBRJoe Security
    Process Memory Space: ????????????????.exe PID: 7420JoeSecurity_KillMBRYara detected KillMBRJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.desaremix.exe.310000.0.unpackJoeSecurity_KillMBRYara detected KillMBRJoe Security
        0.0.desaremix.exe.310000.0.unpackJoeSecurity_KillMBRYara detected KillMBRJoe Security
          1.2.????????????????.exe.6c0000.0.unpackJoeSecurity_KillMBRYara detected KillMBRJoe Security
            1.0.????????????????.exe.6c0000.0.unpackJoeSecurity_KillMBRYara detected KillMBRJoe Security

              Sigma Signatures

              Sigma detected: Excel Network Connections
              Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.123.129.14, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8744, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49760
              Sigma detected: Suspicious Office Outbound Connections
              Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49751, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 8808, Protocol: tcp, SourceIp: 52.123.129.14, SourceIsIpv6: false, SourcePort: 443

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T01:52:53.290701+010020283713Unknown Traffic192.168.2.44975152.123.129.14443TCP
              2025-03-07T01:52:56.405402+010020283713Unknown Traffic192.168.2.44976252.123.129.14443TCP
              2025-03-07T01:52:58.336410+010020283713Unknown Traffic192.168.2.44976052.123.129.14443TCP
              2025-03-07T01:53:13.644418+010020283713Unknown Traffic192.168.2.44976952.123.129.14443TCP
              2025-03-07T01:53:13.646472+010020283713Unknown Traffic192.168.2.44977052.123.129.14443TCP
              2025-03-07T01:53:22.324183+010020283713Unknown Traffic192.168.2.44979013.107.246.67443TCP
              2025-03-07T01:53:24.730600+010020283713Unknown Traffic192.168.2.44977652.123.128.14443TCP
              2025-03-07T01:53:24.737458+010020283713Unknown Traffic192.168.2.44977452.123.128.14443TCP
              2025-03-07T01:53:42.339226+010020283713Unknown Traffic192.168.2.44979513.107.246.67443TCP
              2025-03-07T01:53:48.665840+010020283713Unknown Traffic192.168.2.44978552.123.128.14443TCP
              2025-03-07T01:53:48.726782+010020283713Unknown Traffic192.168.2.44978452.123.128.14443TCP
              2025-03-07T01:53:55.157462+010020283713Unknown Traffic192.168.2.44978752.123.128.14443TCP
              2025-03-07T01:53:58.368603+010020283713Unknown Traffic192.168.2.44978952.123.128.14443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: desaremix.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeAvira: detection malicious, Label: HEUR/AGEN.1318680
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: desaremix.exeReversingLabs: Detection: 52%
              Source: desaremix.exeVirustotal: Detection: 63%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
              Source: desaremix.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: desaremix.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\ASUS\Documents\Malwares\My Creations\desaremix\Release\desaremix.pdb source: desaremix.exe, ????????????????.exe.0.dr
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeDirectory queried: number of queries: 1001
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_003119C0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,ShellExecuteW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,ShellExecuteW,Sleep,FindNextFileW,FindClose,RemoveDirectoryW,0_2_003119C0
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C19C0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,ShellExecuteW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,ShellExecuteW,Sleep,FindNextFileW,FindClose,RemoveDirectoryW,1_2_006C19C0
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep,0_2_00311C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: Joe Sandbox ViewIP Address: 95.101.148.7 95.101.148.7
              Source: Joe Sandbox ViewIP Address: 13.107.246.67 13.107.246.67
              Source: Joe Sandbox ViewIP Address: 52.123.129.14 52.123.129.14
              Source: Joe Sandbox ViewIP Address: 52.123.128.14 52.123.128.14
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49795 -> 13.107.246.67:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49787 -> 52.123.128.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49774 -> 52.123.128.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49769 -> 52.123.129.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49762 -> 52.123.129.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49770 -> 52.123.129.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49785 -> 52.123.128.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49790 -> 13.107.246.67:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 52.123.129.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49760 -> 52.123.129.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49784 -> 52.123.128.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49776 -> 52.123.128.14:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49789 -> 52.123.128.14:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: settings-ssl.xboxlive.com
              Source: hh.exe, 00000024.00000002.3599916331.000002591DAA3000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000024.00000002.3599916331.000002591DA13000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000024.00000002.3613273408.0000026125889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.7-zip.org
              Source: hh.exe, 00000024.00000002.3599916331.000002591DA13000.00000004.00000020.00020000.00000000.sdmp, hh.exe, 00000024.00000002.3613273408.0000026125889000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.7-zip.org/support.html
              Source: hh.exe, 00000024.00000002.3599916331.000002591DAA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.7-zip.org9
              Source: Music.UI.exe, 00000009.00000002.3661421891.000001E232400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: Music.UI.exe, 00000009.00000002.3666997035.000001E232CA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: Music.UI.exe, 00000009.00000002.3667955482.000001E232D53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSy
              Source: Music.UI.exe, 00000009.00000002.3691704578.000001E23301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: Music.UI.exe, 00000009.00000002.3691704578.000001E23301B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.netete
              Source: Music.UI.exe, 00000009.00000002.3662104598.000001E232540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg
              Source: Music.UI.exe, 00000009.00000002.3662104598.000001E232540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg
              Source: Music.UI.exe, 00000009.00000002.3644171064.000001E23128E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicimage.xboxlive.com
              Source: Music.UI.exe, 00000009.00000002.3697992513.000001E233227000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/
              Source: Music.UI.exe, 00000009.00000003.2024621740.000001E232D86000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000009.00000002.3660740574.000001E231E9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml
              Source: Music.UI.exe, 00000009.00000002.3660740574.000001E231E9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml2
              Source: Music.UI.exe, 00000009.00000002.3668381739.000001E232D79000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000009.00000003.2024621740.000001E232D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlnal
              Source: Music.UI.exe, 00000009.00000002.3631277748.000001E22A4B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlset
              Source: Music.UI.exe, 00000009.00000003.2024621740.000001E232D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmltio
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/C:
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
              Source: Music.UI.exe, 00000009.00000002.3695893763.000001E23305A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/P
              Source: Music.UI.exe, 00000009.00000002.3662104598.000001E23255E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com5png1002
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected KillMBR
              Source: Yara matchFile source: 0.2.desaremix.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.desaremix.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.????????????????.exe.6c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.????????????????.exe.6c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: Process Memory Space: desaremix.exe PID: 7400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: ????????????????.exe PID: 7420, type: MEMORYSTR

              Operating System Destruction

              barindex
              Yara detected KillMBR
              Source: Yara matchFile source: 0.2.desaremix.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.desaremix.exe.310000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.????????????????.exe.6c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.????????????????.exe.6c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: Process Memory Space: desaremix.exe PID: 7400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: ????????????????.exe PID: 7420, type: MEMORYSTR
              Contains functionality to access PhysicalDrive, possible boot sector overwrite
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 CreateFileW on filename \\.\PhysicalDrive00_2_00311C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C1C30 CreateFileW on filename \\.\PhysicalDrive01_2_006C1C30
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: 01 00 00 00 Jump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_0031DBD50_2_0031DBD5
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006CDBD51_2_006CDBD5
              Source: desaremix.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: ????????????????.exe, 00000001.00000003.1944107416.0000000008C91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .vBPP
              Source: classification engineClassification label: mal64.rans.evad.winEXE@65/34@1/4
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311770 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00311770
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C1770 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_006C1770
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{2FE9468C-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
              Source: C:\Users\user\Desktop\desaremix.exeFile created: C:\Users\user\AppData\Local\Temp\????????????????.txtJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: user32.dll0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: ntdll.dll0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: DisableTaskMgr0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: DisableCMD0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: ntdll.dll0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCommand line argument: ^10_2_0031E1B0
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: user32.dll1_2_006C1C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: ntdll.dll1_2_006C1C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: DisableTaskMgr1_2_006C1C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: DisableCMD1_2_006C1C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: ntdll.dll1_2_006C1C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCommand line argument: ^l1_2_006CE1B0
              Source: desaremix.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: desaremix.exeReversingLabs: Detection: 52%
              Source: desaremix.exeVirustotal: Detection: 63%
              Source: C:\Users\user\Desktop\desaremix.exeFile read: C:\Users\user\Desktop\desaremix.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\desaremix.exe "C:\Users\user\Desktop\desaremix.exe"
              Source: C:\Users\user\Desktop\desaremix.exeProcess created: C:\Users\user\AppData\Local\Temp\????????????????.exe "C:\Users\user\AppData\Local\Temp\????????????????.exe"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini
              Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.ini
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.ini
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\hh.exe "C:\Windows\hh.exe" C:\Program Files\7-Zip\7-zip.chm
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe"
              Source: C:\Program Files\7-Zip\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\desaremix.exeProcess created: C:\Users\user\AppData\Local\Temp\????????????????.exe "C:\Users\user\AppData\Local\Temp\????????????????.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\hh.exe "C:\Windows\hh.exe" C:\Program Files\7-Zip\7-zip.chmJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twinui.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: shdocvw.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.staterepositorycore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: bcp47mrm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.ui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windowmanagementapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: thumbcache.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: structuredquery.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: mswb7.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: shacct.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: idstore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: wlidprov.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: provsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: actxprxy.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.globalization.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: icu.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: windows.storage.search.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: acppage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: aepic.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: twext.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: apisethost.appexecutionalias.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sharedui.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vccorlib140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: concrt140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vccorlib140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: concrt140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vcruntime140_app.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositorycore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowmanagementapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rometadata.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: esent.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mrmcorer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: bcp47mrm.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: uiamanager.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.immersive.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: threadpoolwinrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.globalization.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.system.profile.retailinfo.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.applicationmodel.lockscreen.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wincorlib.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: lockappbroker.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.graphics.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.ui.xaml.phone.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: twinapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.connectivity.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.mediaplayer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfplat.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rtworkq.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.mediacontrol.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmediaengine.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.devices.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.media.playback.proxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: comppkgsup.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: directmanipulation.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msftedit.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: globinputhost.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.devices.enumeration.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: devdispitemprovider.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ddores.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: defaultdevicemanager.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.web.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wpnapps.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: photometadatahandler.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: profext.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wuceffects.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: biwinrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: microsoftaccountwamextension.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: appcontracts.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: usermgrproxy.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cdprt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: windows.networking.backgroundtransfer.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfps.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmp4srcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msamrnbsource.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfasfsrcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfds.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: msflacdecoder.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmpeg2srcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfmkvsrcsnk.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfnetsrc.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: mfnetcore.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeSection loaded: gnsdk_fp.dllJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
              Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\hh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\hh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\hh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\hh.exeSection loaded: wldp.dll
              Source: C:\Windows\hh.exeSection loaded: profapi.dll
              Source: C:\Windows\hh.exeSection loaded: ntmarta.dll
              Source: C:\Windows\hh.exeSection loaded: itss.dll
              Source: C:\Windows\hh.exeSection loaded: urlmon.dll
              Source: C:\Windows\hh.exeSection loaded: wininet.dll
              Source: C:\Windows\hh.exeSection loaded: iertutil.dll
              Source: C:\Windows\hh.exeSection loaded: srvcli.dll
              Source: C:\Windows\hh.exeSection loaded: netutils.dll
              Source: C:\Windows\hh.exeSection loaded: ieframe.dll
              Source: C:\Windows\hh.exeSection loaded: netapi32.dll
              Source: C:\Windows\hh.exeSection loaded: version.dll
              Source: C:\Windows\hh.exeSection loaded: userenv.dll
              Source: C:\Windows\hh.exeSection loaded: winhttp.dll
              Source: C:\Windows\hh.exeSection loaded: wkscli.dll
              Source: C:\Windows\hh.exeSection loaded: dataexchange.dll
              Source: C:\Windows\hh.exeSection loaded: d3d11.dll
              Source: C:\Windows\hh.exeSection loaded: dcomp.dll
              Source: C:\Windows\hh.exeSection loaded: dxgi.dll
              Source: C:\Windows\hh.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\hh.exeSection loaded: textinputframework.dll
              Source: C:\Windows\hh.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\hh.exeSection loaded: coremessaging.dll
              Source: C:\Windows\hh.exeSection loaded: wintypes.dll
              Source: C:\Windows\hh.exeSection loaded: wintypes.dll
              Source: C:\Windows\hh.exeSection loaded: wintypes.dll
              Source: C:\Windows\hh.exeSection loaded: sxs.dll
              Source: C:\Windows\hh.exeSection loaded: msiso.dll
              Source: C:\Windows\hh.exeSection loaded: sspicli.dll
              Source: C:\Windows\hh.exeSection loaded: propsys.dll
              Source: C:\Windows\hh.exeSection loaded: mshtml.dll
              Source: C:\Windows\hh.exeSection loaded: powrprof.dll
              Source: C:\Windows\hh.exeSection loaded: umpdc.dll
              Source: C:\Windows\hh.exeSection loaded: srpapi.dll
              Source: C:\Windows\hh.exeSection loaded: textshaping.dll
              Source: C:\Windows\hh.exeSection loaded: d2d1.dll
              Source: C:\Windows\hh.exeSection loaded: dwrite.dll
              Source: C:\Windows\hh.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\hh.exeSection loaded: msimtf.dll
              Source: C:\Windows\hh.exeSection loaded: msls31.dll
              Source: C:\Windows\hh.exeSection loaded: secur32.dll
              Source: C:\Windows\hh.exeSection loaded: mlang.dll
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
              Source: C:\Windows\hh.exeWindow found: window name: SysTabControl32
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: desaremix.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: desaremix.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\ASUS\Documents\Malwares\My Creations\desaremix\Release\desaremix.pdb source: desaremix.exe, ????????????????.exe.0.dr
              Source: desaremix.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: desaremix.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: desaremix.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: desaremix.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: desaremix.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep,0_2_00311C30
              Source: desaremix.exeStatic PE information: section name: _RDATA
              Source: ????????????????.exe.0.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314C06 push ecx; ret 0_2_00314C19
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C4C06 push ecx; ret 1_2_006C4C19

              Persistence and Installation Behavior

              barindex
              Contains functionality to infect the boot sector
              Source: C:\Users\user\Desktop\desaremix.exeCode function: LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep, \\.\PhysicalDrive00_2_00311C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlSetProcessIsCritical,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep, \\.\PhysicalDrive01_2_006C1C30
              Infects the VBR (Volume Boot Record) of the hard disk
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile written: \Device\Harddisk0\DR0 offset: 512Jump to behavior
              Writes directly to the primary disk partition (DR0)
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile written: \Device\Harddisk0\DR0 offset: 512 length: 512Jump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeFile created: C:\Users\user\AppData\Local\Temp\????????????????.exeJump to dropped file

              Boot Survival

              barindex
              Contains functionality to infect the boot sector
              Source: C:\Users\user\Desktop\desaremix.exeCode function: LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep, \\.\PhysicalDrive00_2_00311C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlSetProcessIsCritical,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep, \\.\PhysicalDrive01_2_006C1C30

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile deleted: c:\users\user\desktop\desaremix.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\hh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeRDTSC instruction interceptor: First address: 6C1B90 second address: 6C1B90 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 shl ecx, 0Dh 0x00000007 xor ecx, eax 0x00000009 mov edx, ecx 0x0000000b shl edx, 11h 0x0000000e xor edx, ecx 0x00000010 mov eax, edx 0x00000012 shl eax, 05h 0x00000015 xor eax, edx 0x00000017 mov dword ptr [006DF29Ch], eax 0x0000001c movzx eax, al 0x0000001f inc eax 0x00000020 mov word ptr [ebp+esi*2-00000204h], ax 0x00000028 inc esi 0x00000029 cmp esi, 00000100h 0x0000002f jl 00007F98956D3A21h 0x00000031 rdtsc
              Source: C:\Windows\hh.exeMemory allocated: 26125830000 memory reserve | memory write watch
              Source: C:\Windows\hh.exeMemory allocated: 26125B00000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 rdtsc 0_2_00311C30
              Source: C:\Windows\hh.exeWindow / User API: threadDelayed 2472
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exe TID: 7544Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exe TID: 7548Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exe TID: 7548Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 7400Thread sleep time: -86400000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_003119C0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,ShellExecuteW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,ShellExecuteW,Sleep,FindNextFileW,FindClose,RemoveDirectoryW,0_2_003119C0
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C19C0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,ShellExecuteW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,ShellExecuteW,Sleep,FindNextFileW,FindClose,RemoveDirectoryW,1_2_006C19C0
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep,0_2_00311C30
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeThread delayed: delay time: 30000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: Music.UI.exe, 00000009.00000002.3697049077.000001E2330C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 rdtsc 0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314978 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00314978
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311C30 LoadLibraryW,GetProcAddress,FreeLibrary,CreateThread,CloseHandle,CloseHandle,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,RegCreateKeyExW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Sleep,GetLogicalDriveStringsW,CreateThread,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,CreateThread,CloseHandle,CloseHandle,CreateThread,CloseHandle,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,Sleep,0_2_00311C30
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00316E5D mov eax, dword ptr fs:[00000030h]0_2_00316E5D
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C6E5D mov eax, dword ptr fs:[00000030h]1_2_006C6E5D
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_0031A12D GetProcessHeap,0_2_0031A12D
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_003144A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003144A6
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314978 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00314978
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314B0B SetUnhandledExceptionFilter,0_2_00314B0B
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_003177F8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003177F8
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C44A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_006C44A6
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C4978 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_006C4978
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C4B0B SetUnhandledExceptionFilter,1_2_006C4B0B
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeCode function: 1_2_006C77F8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_006C77F8
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DVWHKMNFNN.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\HTAGVDFUIE.docx" /o ""Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\KATAXZVCPS.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\LTKMYBSEYZ.xlsx"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Windows\hh.exe "C:\Windows\hh.exe" C:\Program Files\7-Zip\7-zip.chmJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00311810 AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,SetNamedSecurityInfoW,GetCurrentProcess,OpenProcessToken,SetNamedSecurityInfoW,SetNamedSecurityInfoW,FreeSid,FreeSid,FreeSid,LocalFree,CloseHandle,0_2_00311810
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314C1B cpuid 0_2_00314C1B
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1741308664.txt VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1741308720.txt VolumeInformationJump to behavior
              Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\DiagOutputDir\CriticalError_playbackTrace_1741308731.txt VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation
              Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation
              Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini VolumeInformation
              Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini VolumeInformation
              Source: C:\Users\user\Desktop\desaremix.exeCode function: 0_2_00314861 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00314861

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Disable Task Manager(disabletaskmgr)
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeRegistry value created: DisableTaskMgr 1Jump to behavior
              Disables CMD prompt
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeRegistry value created: DisableCMD 1Jump to behavior
              Disables the Windows registry editor (regedit)
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryToolsJump to behavior
              Disables the Windows task manager (taskmgr)
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\????????????????.exeDirectory queried: number of queries: 1001

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		4
              Bootkit              		1
              Access Token Manipulation              		2
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		12
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		11
              Process Injection              		4
              Disable or Modify Tools              		LSASS Memory241
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Access Token Manipulation              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Process Injection              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials14
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
              Bootkit              		DCSync133
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Rundll32              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              File Deletion              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631383 Sample: desaremix.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 64 39 shed.dual-low.s-part-0039.t-0009.t-msedge.net 2->39 41 shed.dual-low.s-part-0032.t-0009.t-msedge.net 2->41 43 8 other IPs or domains 2->43 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected KillMBR 2->57 59 Joe Sandbox ML detected suspicious sample 2->59 9 desaremix.exe 3 2->9         started        13 Music.UI.exe 62 45 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 dnsIp5 35 C:\Users\user\...\????????????????.exe, PE32 9->35 dropped 37 C:\...\????????????????.exe:Zone.Identifier, ASCII 9->37 dropped 69 Contains functionality to access PhysicalDrive, possible boot sector overwrite 9->69 71 Contains functionality to infect the boot sector 9->71 18 ????????????????.exe 27 15 9->18         started        51 e87.dspb.akamaiedge.net 95.101.148.7, 443, 49739 AKAMAI-ASN1EU European Union 13->51 file6 signatures7 process8 file9 33 \Device\Harddisk0\DR0, DOS/MBR 18->33 dropped 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Protects its processes via BreakOnTermination flag 18->65 67 10 other signatures 18->67 22 WINWORD.EXE 18->22         started        25 EXCEL.EXE 18->25         started        27 EXCEL.EXE 18->27         started        29 14 other processes 18->29 signatures10 process11 dnsIp12 45 s-0005.dual-s-msedge.net 52.123.129.14, 443, 49751, 49760 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->45 47 s-part-0039.t-0009.t-msedge.net 13.107.246.67, 443, 49790, 49795 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->47 49 52.123.128.14, 443, 49774, 49776 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->49 31 conhost.exe 29->31         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.