Loading ...

Play interactive tourEdit tour

Windows Analysis Report as0Jkr7Dca

Overview

General Information

Sample Name:as0Jkr7Dca (renamed file extension from none to dll)
Analysis ID:483806
MD5:3839da365172e8011da03c3ef023c33c
SHA1:060aaed3fe83b9333dbd19ac22471cc8ded3c9f8
SHA256:2356048d0182a32df2892b64db99f58634681c33cb0104a3ad3b62510a534454
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3640 cmdline: loaddll64.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 5108 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 256 cmdline: rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2540 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • SystemPropertiesPerformance.exe (PID: 6292 cmdline: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe MD5: F325976CDC0F7E9C680B51B35D24D23A)
        • wextract.exe (PID: 6800 cmdline: C:\Windows\system32\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • wextract.exe (PID: 6908 cmdline: C:\Users\user\AppData\Local\93S1H\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • InfDefaultInstall.exe (PID: 6988 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)
        • InfDefaultInstall.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)
        • AgentService.exe (PID: 5728 cmdline: C:\Windows\system32\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • AgentService.exe (PID: 6060 cmdline: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • MusNotificationUx.exe (PID: 4436 cmdline: C:\Windows\system32\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • MusNotificationUx.exe (PID: 5528 cmdline: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • sessionmsg.exe (PID: 6168 cmdline: C:\Windows\system32\sessionmsg.exe MD5: 1F7CEA0216DE48B877C16F95C7DA1F0F)
    • rundll32.exe (PID: 3256 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1236 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2736 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2212 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3288 cmdline: rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.393975401.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000004.00000002.222388463.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000009.00000002.245117610.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000024.00000002.451790236.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000028.00000002.477912274.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: as0Jkr7Dca.dllVirustotal: Detection: 64%Perma Link
            Source: as0Jkr7Dca.dllMetadefender: Detection: 62%Perma Link
            Source: as0Jkr7Dca.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: as0Jkr7Dca.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\93S1H\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPLAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: as0Jkr7Dca.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\93S1H\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\zBhEpi\newdev.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPLJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A188290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,40_2_00007FF75A188290
            Source: as0Jkr7Dca.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
            Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
            Source: Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
            Source: Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
            Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
            Source: Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
            Source: Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
            Source: Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
            Source: Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D290 FindFirstFileExW,1_2_000000014005D290
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,31_2_00007FF6A7B41EC0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,36_2_00007FF652E69110
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,40_2_00007FF75A18A104

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 0000001F.00000002.393975401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.222388463.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.245117610.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.451790236.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.477912274.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.227069993.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.362477458.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.236556937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.420737755.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.334750401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.257049994.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.266033860.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.259716676.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,31_2_00007FF6A7B41B10
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B4297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,31_2_00007FF6A7B4297C
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400348701_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400352701_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140048AC01_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005C3401_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140065B801_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006A4B01_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400524B01_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140026CC01_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004BD401_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400495B01_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140036F301_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400690101_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400010101_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400660201_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002F8401_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D8501_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400640801_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400108801_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400688A01_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002D0D01_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400018D01_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400161001_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001D1001_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002A1101_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001D9101_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400151201_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000B1201_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004F9401_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400391401_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400231401_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400579501_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001E1701_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400029801_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400611A01_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400389A01_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400381A01_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002E1B01_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400139D01_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400319F01_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EA001_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022A001_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003B2201_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140067A401_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140069A501_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140007A601_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003AAC01_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003A2E01_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140062B001_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400183001_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002FB201_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400313401_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400223401_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140017B401_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000BB401_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004EB601_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400053701_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002CB801_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B3901_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140054BA01_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140033BB01_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400263C01_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400123C01_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140063BD01_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400663F01_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140023BF01_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B41B1_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B4241_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B42D1_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B4361_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B43D1_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400244401_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140005C401_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B4461_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005F4901_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022D001_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400355201_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140019D201_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400305301_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400235301_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400315401_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400335401_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014007BD501_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400785701_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400195801_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400205A01_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140025DB01_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140071DC01_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000C5C01_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002DDE01_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140031DF01_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000DDF01_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400016201_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400186301_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400326501_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140064E801_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140016E801_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140007EA01_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400286B01_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140006EB01_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400276C01_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002FEC01_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EED01_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002B6E01_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140053F201_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400227301_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400297801_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140018F801_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003EFB01_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400067B01_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400667D01_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140060FE01_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41C0031_2_00007FF6A7B41C00
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B4331031_2_00007FF6A7B43310
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41B1031_2_00007FF6A7B41B10
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B4641831_2_00007FF6A7B46418
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B457D031_2_00007FF6A7B457D0
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B45E9831_2_00007FF6A7B45E98
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B42AB431_2_00007FF6A7B42AB4
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B43D6431_2_00007FF6A7B43D64
            Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exeCode function: 33_2_00007FF675B5107833_2_00007FF675B51078
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E6850036_2_00007FF652E68500
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E354E036_2_00007FF652E354E0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E664D036_2_00007FF652E664D0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E404AC36_2_00007FF652E404AC
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E8049836_2_00007FF652E80498
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EBA45036_2_00007FF652EBA450
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E4E44436_2_00007FF652E4E444
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E8615836_2_00007FF652E86158
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E8115E36_2_00007FF652E8115E
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E9C27836_2_00007FF652E9C278
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652ECE83436_2_00007FF652ECE834
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E4858C36_2_00007FF652E4858C
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E6758036_2_00007FF652E67580
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E9D6FC36_2_00007FF652E9D6FC
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E796D836_2_00007FF652E796D8
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E4CC3036_2_00007FF652E4CC30
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652ECDBA436_2_00007FF652ECDBA4
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EBACE836_2_00007FF652EBACE8
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E729F436_2_00007FF652E729F4
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EC29E036_2_00007FF652EC29E0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E7A97436_2_00007FF652E7A974
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EBA01436_2_00007FF652EBA014
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E7B12C36_2_00007FF652E7B12C
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E6911036_2_00007FF652E69110
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E3E0F436_2_00007FF652E3E0F4
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E71E3436_2_00007FF652E71E34
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652ED8F0436_2_00007FF652ED8F04
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E54EF036_2_00007FF652E54EF0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E4BEE436_2_00007FF652E4BEE4
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E9EE7C36_2_00007FF652E9EE7C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17F33C40_2_00007FF75A17F33C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17675440_2_00007FF75A176754
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17C31840_2_00007FF75A17C318
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17272040_2_00007FF75A172720
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17772040_2_00007FF75A177720
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A176B7C40_2_00007FF75A176B7C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16B38C40_2_00007FF75A16B38C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16E38C40_2_00007FF75A16E38C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16476040_2_00007FF75A164760
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16F36040_2_00007FF75A16F360
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16BB6840_2_00007FF75A16BB68
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A178BCC40_2_00007FF75A178BCC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17BBAC40_2_00007FF75A17BBAC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18C3B440_2_00007FF75A18C3B4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1747A840_2_00007FF75A1747A8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17AC0C40_2_00007FF75A17AC0C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16B80C40_2_00007FF75A16B80C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1707D840_2_00007FF75A1707D8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16CBE440_2_00007FF75A16CBE4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1783E040_2_00007FF75A1783E0
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16D3E840_2_00007FF75A16D3E8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A169FE840_2_00007FF75A169FE8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1667F440_2_00007FF75A1667F4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16B03C40_2_00007FF75A16B03C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16E04040_2_00007FF75A16E040
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17944C40_2_00007FF75A17944C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18044C40_2_00007FF75A18044C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17604840_2_00007FF75A176048
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17D05440_2_00007FF75A17D054
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A175C2C40_2_00007FF75A175C2C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A174C8040_2_00007FF75A174C80
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17A07040_2_00007FF75A17A070
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1744C440_2_00007FF75A1744C4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17F8CC40_2_00007FF75A17F8CC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A181CB040_2_00007FF75A181CB0
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16ACFC40_2_00007FF75A16ACFC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17110040_2_00007FF75A171100
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16C90840_2_00007FF75A16C908
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16DCE440_2_00007FF75A16DCE4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A173CE040_2_00007FF75A173CE0
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16ECE840_2_00007FF75A16ECE8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A169D2840_2_00007FF75A169D28
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18113040_2_00007FF75A181130
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17ED8840_2_00007FF75A17ED88
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17A16C40_2_00007FF75A17A16C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17C57040_2_00007FF75A17C570
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17357040_2_00007FF75A173570
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16C5B840_2_00007FF75A16C5B8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16B5C040_2_00007FF75A16B5C0
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1869A840_2_00007FF75A1869A8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17CDA840_2_00007FF75A17CDA8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1661FC40_2_00007FF75A1661FC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17420840_2_00007FF75A174208
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17E5DC40_2_00007FF75A17E5DC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1671D840_2_00007FF75A1671D8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16D9E440_2_00007FF75A16D9E4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16A9EC40_2_00007FF75A16A9EC
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1809E840_2_00007FF75A1809E8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1719F040_2_00007FF75A1719F0
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16CE1840_2_00007FF75A16CE18
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18168840_2_00007FF75A181688
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16C25C40_2_00007FF75A16C25C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16A26C40_2_00007FF75A16A26C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17BEB840_2_00007FF75A17BEB8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16BEC440_2_00007FF75A16BEC4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A17A6C840_2_00007FF75A17A6C8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1886D840_2_00007FF75A1886D8
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16D6E440_2_00007FF75A16D6E4
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A177EE040_2_00007FF75A177EE0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: String function: 00007FF652E35BC4 appears 55 times
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: String function: 00007FF652E33F1C appears 39 times
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: String function: 00007FF652E75CE8 appears 64 times
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: String function: 00007FF652E359E0 appears 153 times
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E393A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,36_2_00007FF652E393A8
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140046C90 NtClose,1_2_0000000140046C90
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006A4B0 NtQuerySystemInformation,1_2_000000014006A4B0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EB6CB0: DeviceIoControl,??_V@YAXPEAX@Z,CloseHandle,36_2_00007FF652EB6CB0
            Source: as0Jkr7Dca.dllBinary or memory string: OriginalFilenamekbdyj% vs as0Jkr7Dca.dll
            Source: SystemPropertiesPerformance.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesPerformance.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesPerformance.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ACTIVEDS.dll.5.drStatic PE information: Number of sections : 46 > 10
            Source: SYSDM.CPL.5.drStatic PE information: Number of sections : 46 > 10
            Source: newdev.dll.5.drStatic PE information: Number of sections : 46 > 10
            Source: VERSION.dll.5.drStatic PE information: Number of sections : 46 > 10
            Source: as0Jkr7Dca.dllStatic PE information: Number of sections : 45 > 10
            Source: XmlLite.dll.5.drStatic PE information: Number of sections : 46 > 10
            Source: as0Jkr7Dca.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SYSDM.CPL.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: newdev.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ACTIVEDS.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: as0Jkr7Dca.dllVirustotal: Detection: 64%
            Source: as0Jkr7Dca.dllMetadefender: Detection: 62%
            Source: as0Jkr7Dca.dllReversingLabs: Detection: 75%
            Source: as0Jkr7Dca.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePage
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingName
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriter
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePage
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingName
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingCodePageJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReaderInputWithEncodingNameJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingCodePageJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlWriterOutputWithEncodingNameJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\93S1H\wextract.exe C:\Users\user\AppData\Local\93S1H\wextract.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exe C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exe C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exe C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exeJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,31_2_00007FF6A7B41B10
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E4943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,36_2_00007FF652E4943C
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A186588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,40_2_00007FF75A186588
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@39/11@0/0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E32B88 CoInitializeEx,CoCreateInstance,CoUninitialize,36_2_00007FF652E32B88
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B46418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,31_2_00007FF6A7B46418
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B46418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,31_2_00007FF6A7B46418
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,36_2_00007FF652E3345C
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,36_2_00007FF652E3345C
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\as0Jkr7Dca.dll,CreateXmlReader
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeMutant created: \Sessions\1\BaseNamedObjects\{1b5f2cc3-8b30-2258-5bf8-ae9b32776bed}
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeMutant created: \Sessions\1\BaseNamedObjects\{04215796-eaf0-868f-5418-ce74fc100d33}
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B46E1C LoadResource,LockResource,FreeResource,FindResourceA,FreeResource,31_2_00007FF6A7B46E1C
            Source: as0Jkr7Dca.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: as0Jkr7Dca.dllStatic file information: File size 1839104 > 1048576
            Source: as0Jkr7Dca.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wextract.pdb source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
            Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
            Source: Binary string: wextract.pdbGCTL source: wextract.exe, 0000001F.00000002.395783273.00007FF6A7B49000.00000002.00020000.sdmp, wextract.exe.5.dr
            Source: Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
            Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000018.00000000.340776280.00007FF7497F2000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.5.dr
            Source: Binary string: InfDefaultInstall.pdb source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
            Source: Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 00000028.00000002.480167009.00007FF75A18E000.00000002.00020000.sdmp, MusNotificationUx.exe.5.dr
            Source: Binary string: InfDefaultInstall.pdbGCTL source: InfDefaultInstall.exe, 00000021.00000000.398960791.00007FF675B52000.00000002.00020000.sdmp, InfDefaultInstall.exe.5.dr
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
            Source: Binary string: AgentService.pdb source: AgentService.exe, 00000024.00000002.455168965.00007FF652EF1000.00000002.00020000.sdmp, AgentService.exe.5.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140056A4D push rdi; ret 1_2_0000000140056A4E
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E784C0 push rsp; retf 36_2_00007FF652E784C1
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E7FF70 pushfq ; retf 36_2_00007FF652E7FF71
            Source: as0Jkr7Dca.dllStatic PE information: section name: .qkm
            Source: as0Jkr7Dca.dllStatic PE information: section name: .cvjb
            Source: as0Jkr7Dca.dllStatic PE information: section name: .tlmkv
            Source: as0Jkr7Dca.dllStatic PE information: section name: .wucsxe
            Source: as0Jkr7Dca.dllStatic PE information: section name: .fltwtj
            Source: as0Jkr7Dca.dllStatic PE information: section name: .sfplio
            Source: as0Jkr7Dca.dllStatic PE information: section name: .rpg
            Source: as0Jkr7Dca.dllStatic PE information: section name: .bewzc
            Source: as0Jkr7Dca.dllStatic PE information: section name: .vksvaw
            Source: as0Jkr7Dca.dllStatic PE information: section name: .wmhg
            Source: as0Jkr7Dca.dllStatic PE information: section name: .kswemc
            Source: as0Jkr7Dca.dllStatic PE information: section name: .kaxfk
            Source: as0Jkr7Dca.dllStatic PE information: section name: .pjf
            Source: as0Jkr7Dca.dllStatic PE information: section name: .retjqj
            Source: as0Jkr7Dca.dllStatic PE information: section name: .mizn
            Source: as0Jkr7Dca.dllStatic PE information: section name: .rsrub
            Source: as0Jkr7Dca.dllStatic PE information: section name: .fhgxfk
            Source: as0Jkr7Dca.dllStatic PE information: section name: .wqpbrq
            Source: as0Jkr7Dca.dllStatic PE information: section name: .xlhbgj
            Source: as0Jkr7Dca.dllStatic PE information: section name: .rzgl
            Source: as0Jkr7Dca.dllStatic PE information: section name: .yic
            Source: as0Jkr7Dca.dllStatic PE information: section name: .zfmbo
            Source: as0Jkr7Dca.dllStatic PE information: section name: .zlvv
            Source: as0Jkr7Dca.dllStatic PE information: section name: .cxtrm
            Source: as0Jkr7Dca.dllStatic PE information: section name: .ulxwjx
            Source: as0Jkr7Dca.dllStatic PE information: section name: .dhdaub
            Source: as0Jkr7Dca.dllStatic PE information: section name: .mwbsl
            Source: as0Jkr7Dca.dllStatic PE information: section name: .tnjoaa
            Source: as0Jkr7Dca.dllStatic PE information: section name: .xbwa
            Source: as0Jkr7Dca.dllStatic PE information: section name: .ahxqcx
            Source: as0Jkr7Dca.dllStatic PE information: section name: .prqysb
            Source: as0Jkr7Dca.dllStatic PE information: section name: .piajju
            Source: as0Jkr7Dca.dllStatic PE information: section name: .ncu
            Source: as0Jkr7Dca.dllStatic PE information: section name: .pmgfro
            Source: as0Jkr7Dca.dllStatic PE information: section name: .xjbky
            Source: as0Jkr7Dca.dllStatic PE information: section name: .iypg
            Source: as0Jkr7Dca.dllStatic PE information: section name: .icnjt
            Source: as0Jkr7Dca.dllStatic PE information: section name: .ayz
            Source: as0Jkr7Dca.dllStatic PE information: section name: .jirq
            Source: MusNotificationUx.exe.5.drStatic PE information: section name: .imrsiv
            Source: MusNotificationUx.exe.5.drStatic PE information: section name: .didat
            Source: SYSDM.CPL.5.drStatic PE information: section name: .qkm
            Source: SYSDM.CPL.5.drStatic PE information: section name: .cvjb
            Source: SYSDM.CPL.5.drStatic PE information: section name: .tlmkv
            Source: SYSDM.CPL.5.drStatic PE information: section name: .wucsxe
            Source: SYSDM.CPL.5.drStatic PE information: section name: .fltwtj
            Source: SYSDM.CPL.5.drStatic PE information: section name: .sfplio
            Source: SYSDM.CPL.5.drStatic PE information: section name: .rpg
            Source: SYSDM.CPL.5.drStatic PE information: section name: .bewzc
            Source: SYSDM.CPL.5.drStatic PE information: section name: .vksvaw
            Source: SYSDM.CPL.5.drStatic PE information: section name: .wmhg
            Source: SYSDM.CPL.5.drStatic PE information: section name: .kswemc
            Source: SYSDM.CPL.5.drStatic PE information: section name: .kaxfk
            Source: SYSDM.CPL.5.drStatic PE information: section name: .pjf
            Source: SYSDM.CPL.5.drStatic PE information: section name: .retjqj
            Source: SYSDM.CPL.5.drStatic PE information: section name: .mizn
            Source: SYSDM.CPL.5.drStatic PE information: section name: .rsrub
            Source: SYSDM.CPL.5.drStatic PE information: section name: .fhgxfk
            Source: SYSDM.CPL.5.drStatic PE information: section name: .wqpbrq
            Source: SYSDM.CPL.5.drStatic PE information: section name: .xlhbgj
            Source: SYSDM.CPL.5.drStatic PE information: section name: .rzgl
            Source: SYSDM.CPL.5.drStatic PE information: section name: .yic
            Source: SYSDM.CPL.5.drStatic PE information: section name: .zfmbo
            Source: SYSDM.CPL.5.drStatic PE information: section name: .zlvv
            Source: SYSDM.CPL.5.drStatic PE information: section name: .cxtrm
            Source: SYSDM.CPL.5.drStatic PE information: section name: .ulxwjx
            Source: SYSDM.CPL.5.drStatic PE information: section name: .dhdaub
            Source: SYSDM.CPL.5.drStatic PE information: section name: .mwbsl
            Source: SYSDM.CPL.5.drStatic PE information: section name: .tnjoaa
            Source: SYSDM.CPL.5.drStatic PE information: section name: .xbwa
            Source: SYSDM.CPL.5.drStatic PE information: section name: .ahxqcx
            Source: SYSDM.CPL.5.drStatic PE information: section name: .prqysb
            Source: SYSDM.CPL.5.drStatic PE information: section name: .piajju
            Source: SYSDM.CPL.5.drStatic PE information: section name: .ncu
            Source: SYSDM.CPL.5.drStatic PE information: section name: .pmgfro
            Source: SYSDM.CPL.5.drStatic PE information: section name: .xjbky
            Source: SYSDM.CPL.5.drStatic PE information: section name: .iypg
            Source: SYSDM.CPL.5.drStatic PE information: section name: .icnjt
            Source: SYSDM.CPL.5.drStatic PE information: section name: .ayz
            Source: SYSDM.CPL.5.drStatic PE information: section name: .jirq
            Source: SYSDM.CPL.5.drStatic PE information: section name: .xfw
            Source: VERSION.dll.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.5.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.5.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.5.drStatic PE information: section name: .rpg
            Source: VERSION.dll.5.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.5.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.5.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.5.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.5.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.5.drStatic PE information: section name: .pjf
            Source: VERSION.dll.5.drStatic PE information: section name: .retjqj
            Source: VERSION.dll.5.drStatic PE information: section name: .mizn
            Source: VERSION.dll.5.drStatic PE information: section name: .rsrub
            Source: VERSION.dll.5.drStatic PE information: section name: .fhgxfk
            Source: VERSION.dll.5.drStatic PE information: section name: .wqpbrq
            Source: VERSION.dll.5.drStatic PE information: section name: .xlhbgj
            Source: VERSION.dll.5.drStatic PE information: section name: .rzgl
            Source: VERSION.dll.5.drStatic PE information: section name: .yic
            Source: VERSION.dll.5.drStatic PE information: section name: .zfmbo
            Source: VERSION.dll.5.drStatic PE information: section name: .zlvv
            Source: VERSION.dll.5.drStatic PE information: section name: .cxtrm
            Source: VERSION.dll.5.drStatic PE information: section name: .ulxwjx
            Source: VERSION.dll.5.drStatic PE information: section name: .dhdaub
            Source: VERSION.dll.5.drStatic PE information: section name: .mwbsl
            Source: VERSION.dll.5.drStatic PE information: section name: .tnjoaa
            Source: VERSION.dll.5.drStatic PE information: section name: .xbwa
            Source: VERSION.dll.5.drStatic PE information: section name: .ahxqcx
            Source: VERSION.dll.5.drStatic PE information: section name: .prqysb
            Source: VERSION.dll.5.drStatic PE information: section name: .piajju
            Source: VERSION.dll.5.drStatic PE information: section name: .ncu
            Source: VERSION.dll.5.drStatic PE information: section name: .pmgfro
            Source: VERSION.dll.5.drStatic PE information: section name: .xjbky
            Source: VERSION.dll.5.drStatic PE information: section name: .iypg
            Source: VERSION.dll.5.drStatic PE information: section name: .icnjt
            Source: VERSION.dll.5.drStatic PE information: section name: .ayz
            Source: VERSION.dll.5.drStatic PE information: section name: .jirq
            Source: VERSION.dll.5.drStatic PE information: section name: .oygkua
            Source: newdev.dll.5.drStatic PE information: section name: .qkm
            Source: newdev.dll.5.drStatic PE information: section name: .cvjb
            Source: newdev.dll.5.drStatic PE information: section name: .tlmkv
            Source: newdev.dll.5.drStatic PE information: section name: .wucsxe
            Source: newdev.dll.5.drStatic PE information: section name: .fltwtj
            Source: newdev.dll.5.drStatic PE information: section name: .sfplio
            Source: newdev.dll.5.drStatic PE information: section name: .rpg
            Source: newdev.dll.5.drStatic PE information: section name: .bewzc
            Source: newdev.dll.5.drStatic PE information: section name: .vksvaw
            Source: newdev.dll.5.drStatic PE information: section name: .wmhg
            Source: newdev.dll.5.drStatic PE information: section name: .kswemc
            Source: newdev.dll.5.drStatic PE information: section name: .kaxfk
            Source: newdev.dll.5.drStatic PE information: section name: .pjf
            Source: newdev.dll.5.drStatic PE information: section name: .retjqj
            Source: newdev.dll.5.drStatic PE information: section name: .mizn
            Source: newdev.dll.5.drStatic PE information: section name: .rsrub
            Source: newdev.dll.5.drStatic PE information: section name: .fhgxfk
            Source: newdev.dll.5.drStatic PE information: section name: .wqpbrq
            Source: newdev.dll.5.drStatic PE information: section name: .xlhbgj
            Source: newdev.dll.5.drStatic PE information: section name: .rzgl
            Source: newdev.dll.5.drStatic PE information: section name: .yic
            Source: newdev.dll.5.drStatic PE information: section name: .zfmbo
            Source: newdev.dll.5.drStatic PE information: section name: .zlvv
            Source: newdev.dll.5.drStatic PE information: section name: .cxtrm
            Source: newdev.dll.5.drStatic PE information: section name: .ulxwjx
            Source: newdev.dll.5.drStatic PE information: section name: .dhdaub
            Source: newdev.dll.5.drStatic PE information: section name: .mwbsl
            Source: newdev.dll.5.drStatic PE information: section name: .tnjoaa
            Source: newdev.dll.5.drStatic PE information: section name: .xbwa
            Source: newdev.dll.5.drStatic PE information: section name: .ahxqcx
            Source: newdev.dll.5.drStatic PE information: section name: .prqysb
            Source: newdev.dll.5.drStatic PE information: section name: .piajju
            Source: newdev.dll.5.drStatic PE information: section name: .ncu
            Source: newdev.dll.5.drStatic PE information: section name: .pmgfro
            Source: newdev.dll.5.drStatic PE information: section name: .xjbky
            Source: newdev.dll.5.drStatic PE information: section name: .iypg
            Source: newdev.dll.5.drStatic PE information: section name: .icnjt
            Source: newdev.dll.5.drStatic PE information: section name: .ayz
            Source: newdev.dll.5.drStatic PE information: section name: .jirq
            Source: newdev.dll.5.drStatic PE information: section name: .tevex
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .qkm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .cvjb
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .tlmkv
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wucsxe
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .fltwtj
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .sfplio
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rpg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .bewzc
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .vksvaw
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wmhg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .kswemc
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .kaxfk
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .pjf
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .retjqj
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .mizn
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rsrub
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .fhgxfk
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wqpbrq
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .xlhbgj
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rzgl
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .yic
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .zfmbo
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .zlvv
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .cxtrm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ulxwjx
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .dhdaub
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .mwbsl
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .tnjoaa
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .xbwa
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ahxqcx
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .prqysb
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .piajju
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ncu
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .pmgfro
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .xjbky
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .iypg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .icnjt
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ayz
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .jirq
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wkpwg
            Source: XmlLite.dll.5.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.5.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.5.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.5.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.5.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.5.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.5.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.5.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.5.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.5.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.5.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.5.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.5.drStatic PE information: section name: .pjf
            Source: XmlLite.dll.5.drStatic PE information: section name: .retjqj
            Source: XmlLite.dll.5.drStatic PE information: section name: .mizn
            Source: XmlLite.dll.5.drStatic PE information: section name: .rsrub
            Source: XmlLite.dll.5.drStatic PE information: section name: .fhgxfk
            Source: XmlLite.dll.5.drStatic PE information: section name: .wqpbrq
            Source: XmlLite.dll.5.drStatic PE information: section name: .xlhbgj
            Source: XmlLite.dll.5.drStatic PE information: section name: .rzgl
            Source: XmlLite.dll.5.drStatic PE information: section name: .yic
            Source: XmlLite.dll.5.drStatic PE information: section name: .zfmbo
            Source: XmlLite.dll.5.drStatic PE information: section name: .zlvv
            Source: XmlLite.dll.5.drStatic PE information: section name: .cxtrm
            Source: XmlLite.dll.5.drStatic PE information: section name: .ulxwjx
            Source: XmlLite.dll.5.drStatic PE information: section name: .dhdaub
            Source: XmlLite.dll.5.drStatic PE information: section name: .mwbsl
            Source: XmlLite.dll.5.drStatic PE information: section name: .tnjoaa
            Source: XmlLite.dll.5.drStatic PE information: section name: .xbwa
            Source: XmlLite.dll.5.drStatic PE information: section name: .ahxqcx
            Source: XmlLite.dll.5.drStatic PE information: section name: .prqysb
            Source: XmlLite.dll.5.drStatic PE information: section name: .piajju
            Source: XmlLite.dll.5.drStatic PE information: section name: .ncu
            Source: XmlLite.dll.5.drStatic PE information: section name: .pmgfro
            Source: XmlLite.dll.5.drStatic PE information: section name: .xjbky
            Source: XmlLite.dll.5.drStatic PE information: section name: .iypg
            Source: XmlLite.dll.5.drStatic PE information: section name: .icnjt
            Source: XmlLite.dll.5.drStatic PE information: section name: .ayz
            Source: XmlLite.dll.5.drStatic PE information: section name: .jirq
            Source: XmlLite.dll.5.drStatic PE information: section name: .hmh
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41C00 memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,31_2_00007FF6A7B41C00
            Source: ACTIVEDS.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1c222a
            Source: SYSDM.CPL.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1c6d7c
            Source: newdev.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1d0fc6
            Source: VERSION.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1cf964
            Source: as0Jkr7Dca.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x1c70c8
            Source: XmlLite.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1c2161
            Source: SystemPropertiesPerformance.exe.5.drStatic PE information: 0xF80C9430 [Wed Nov 16 08:45:36 2101 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mtEdnDoZJ\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\sdoKH6I6V\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\93S1H\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\93S1H\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zBhEpi\newdev.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aHDEnt\SYSDM.CPLJump to dropped file
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B415C8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,31_2_00007FF6A7B415C8
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E3345C StartServiceCtrlDispatcherW,GetLastError,36_2_00007FF652E3345C

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A16F360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF75A16F436h40_2_00007FF75A16F360
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E54EF0 rdtsc 36_2_00007FF652E54EF0
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005C340 GetSystemInfo,1_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D290 FindFirstFileExW,1_2_000000014005D290
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,31_2_00007FF6A7B41EC0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E69110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,36_2_00007FF652E69110
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A18A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,40_2_00007FF75A18A104
            Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: explorer.exe, 00000005.00000000.235243024.000000000F640000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.281383823.00000000088BF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.230973152.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.257547400.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
            Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000005.00000000.263575751.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000005.00000000.281150556.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
            Source: explorer.exe, 00000005.00000000.276454121.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: explorer.exe, 00000005.00000000.231428281.00000000089DC000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATAT
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A1628E8 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,40_2_00007FF75A1628E8
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E32EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError,36_2_00007FF652E32EF0
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B41C00 memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,31_2_00007FF6A7B41C00
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E5F7F0 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,GetFileVersionInfoSizeW,GetLastError,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,HeapFree,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,36_2_00007FF652E5F7F0
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652E54EF0 rdtsc 36_2_00007FF652E54EF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,1_2_0000000140048AC0
            Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exeCode function: 24_2_00007FF7497F16E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FF7497F16E4
            Source: C:\Users\user\AppData\Local\aHDEnt\SystemPropertiesPerformance.exeCode function: 24_2_00007FF7497F1460 SetUnhandledExceptionFilter,24_2_00007FF7497F1460
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B47A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF6A7B47A80
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B47D70 SetUnhandledExceptionFilter,31_2_00007FF6A7B47D70
            Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exeCode function: 33_2_00007FF675B51810 SetUnhandledExceptionFilter,33_2_00007FF675B51810
            Source: C:\Users\user\AppData\Local\zBhEpi\InfDefaultInstall.exeCode function: 33_2_00007FF675B51AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_00007FF675B51AA4
            Source: C:\Users\user\AppData\Local\mtEdnDoZJ\AgentService.exeCode function: 36_2_00007FF652EE0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,36_2_00007FF652EE0304
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A184768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,40_2_00007FF75A184768
            Source: C:\Users\user\AppData\Local\sdoKH6I6V\MusNotificationUx.exeCode function: 40_2_00007FF75A184AC0 SetUnhandledExceptionFilter,40_2_00007FF75A184AC0

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: SYSDM.CPL.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFB7377EFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFB7377E000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFB70FD2A20 protect: page execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\as0Jkr7Dca.dll',#1Jump to behavior
            Source: C:\Users\user\AppData\Local\93S1H\wextract.exeCode function: 31_2_00007FF6A7B412A0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,31_2_00007FF6A7B412A0
            Source: explorer.exe, 00000005.00000000.271790848.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
            Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.278081643.0000000006860000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.225549739.0000000001980000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation