Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report X5C9EzCB7A

Overview

General Information

Sample Name:X5C9EzCB7A (renamed file extension from none to dll)
Analysis ID:492086
MD5:dc4fca98a02c5cc7ee5f565c56915c86
SHA1:4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256:ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
DLL side loading technique detected
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2368 cmdline: loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll' MD5: A84133CCB118CF35D49A423CD836D0EF)
    • cmd.exe (PID: 5760 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5356 cmdline: rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2192 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wermgr.exe (PID: 6572 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • wermgr.exe (PID: 6600 cmdline: C:\Users\user\AppData\Local\M5A\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • WFS.exe (PID: 6640 cmdline: C:\Windows\system32\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • WFS.exe (PID: 6652 cmdline: C:\Users\user\AppData\Local\QEkvVts\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • wusa.exe (PID: 6888 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)
        • wusa.exe (PID: 6912 cmdline: C:\Users\user\AppData\Local\8FwY\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)
    • rundll32.exe (PID: 1596 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2840 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4156 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2888 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2916 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1064 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6288 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6388 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6404 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6428 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6484 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6524 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6620 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6752 cmdline: rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 16 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: X5C9EzCB7A.dllVirustotal: Detection: 64%Perma Link
            Source: X5C9EzCB7A.dllMetadefender: Detection: 57%Perma Link
            Source: X5C9EzCB7A.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: X5C9EzCB7A.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\8FwY\dpx.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\M5A\wer.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: X5C9EzCB7A.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\8FwY\dpx.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\M5A\wer.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Mnd\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2vl\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBF5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBF500 CryptProtectData,GetLastError,RegSetValueExW,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8780 memset,LocalFree,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,memset,CreateDirectoryA,GetLastError,GetFileAttributesA,GetLastError,DecryptFileA,GetLastError,MultiByteToWideChar,GetLastError,CryptReleaseContext,LocalFree,
            Source: X5C9EzCB7A.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,
            Source: explorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            PE file contains section with special charsShow sources
            Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007C9D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140079360
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078D3F
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007D5F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140050E60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140079681
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078EBB
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097CFF0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740972F54
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097E368
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977EFC
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740982438
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740976848
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740980A58
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7B6C4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB0630
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C785B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAF5D0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CC15BC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB904
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB18CC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9E840
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9F71C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C75738
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C73258
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C79250
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBA1B0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB6180
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB54E0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7C4F8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAE4C0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9541C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD2440
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB410
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9B3A8
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAA380
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAD320
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C73A30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB3E1C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB6E50
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBB0DC
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAC060
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD1F60
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C87AF0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB8AB0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C73A30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBA9E0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C819D0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7C974
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C93940
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C74CD4
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB5C10
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBFC0C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB6C00
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD2B6C
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C90B80
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAFB30
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CAAB1C
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1FA0FC
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F3D88
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F5EA4
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC0
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8780
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F9910
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F356C
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F23F0
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: String function: 00007FF7D5C738C8 appears 261 times
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: String function: 00007FF6EE1F9520 appears 162 times
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F3A2C memset,GetSystemDirectoryW,wcsrchr,memset,CreateProcessAsUserW,GetLastError,WaitForSingleObject,GetLastError,GetExitCodeProcess,GetLastError,GetLastError,CloseHandle,CloseHandle,LocalFree,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BFF0 NtDuplicateObject,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220 NtReadVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtQueueApcThread,NtProtectVirtualMemory,NtProtectVirtualMemory,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025280 NtDuplicateObject,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0 NtDuplicateObject,NtQueueApcThread,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025330 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BC10 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004E440 NtDelayExecution,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003C560 NtDuplicateObject,NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039F50 NtReadVirtualMemory,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003BF70 NtDuplicateObject,NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AF90 NtQueueApcThread,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740978404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981F54 NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097E368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF7409782EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740982438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wusa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mblctr.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DevicePairingWizard.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: recdisc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: perfmon.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ACTIVEDS.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: DUI70.dll0.4.drStatic PE information: Number of sections : 43 > 10
            Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 43 > 10
            Source: wer.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: VERSION.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: DUI70.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: WINMM.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: X5C9EzCB7A.dllStatic PE information: Number of sections : 42 > 10
            Source: dpx.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: UxTheme.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: MFC42u.dll.4.drStatic PE information: Number of sections : 43 > 10
            Source: X5C9EzCB7A.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: wer.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINMM.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dpx.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ACTIVEDS.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SppExtComObj.Exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: X5C9EzCB7A.dllVirustotal: Detection: 64%
            Source: X5C9EzCB7A.dllMetadefender: Detection: 57%
            Source: X5C9EzCB7A.dllReversingLabs: Detection: 75%
            Source: X5C9EzCB7A.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknown
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\M5A\wermgr.exe C:\Users\user\AppData\Local\M5A\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QEkvVts\WFS.exe C:\Users\user\AppData\Local\QEkvVts\WFS.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\8FwY\wusa.exe C:\Users\user\AppData\Local\8FwY\wusa.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F5438 LookupPrivilegeValueW,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,LocalFree,
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@91/45@0/0
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740978F2C CoInitializeEx,CoCreateInstance,SysAllocString,SysFreeString,CoUninitialize,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C9541C SendDlgItemMessageW,memset,memset,LoadStringW,FormatMessageW,SetDlgItemTextW,GetLastError,GetLastError,PeekMessageW,TranslateMessage,DispatchMessageW,#5065,#5065,PeekMessageW,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003C240 GetProcessId,CreateToolhelp32Snapshot,Thread32First,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeMutant created: \Sessions\1\BaseNamedObjects\{f4c92513-81b4-e2bc-e5ad-0bbbd5f6a12c}
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{3baca1ad-f576-2ca5-ab39-dd9076560d1e}
            Source: wusa.exeString found in binary or memory: Failed to display update-installed message box
            Source: wusa.exeString found in binary or memory: Failed to display update-not-installed message box
            Source: X5C9EzCB7A.dllStatic PE information: More than 149 > 100 exports found
            Source: X5C9EzCB7A.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: X5C9EzCB7A.dllStatic file information: File size 2117632 > 1048576
            Source: X5C9EzCB7A.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: wusa.pdbGCTL source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: wusa.pdb source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: Binary string: Wfs.pdb source: WFS.exe, 00000022.00000002.365079762.00007FF7D5CDC000.00000002.00020000.sdmp
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 0000001F.00000000.351011301.00007FF740985000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE201964 push rbx; iretd
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE2015F8 push rbx; retf
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qkm
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cvjb
            Source: X5C9EzCB7A.dllStatic PE information: section name: .tlmkv
            Source: X5C9EzCB7A.dllStatic PE information: section name: .wucsxe
            Source: X5C9EzCB7A.dllStatic PE information: section name: .fltwtj
            Source: X5C9EzCB7A.dllStatic PE information: section name: .sfplio
            Source: X5C9EzCB7A.dllStatic PE information: section name: .rpg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bewzc
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vksvaw
            Source: X5C9EzCB7A.dllStatic PE information: section name: .wmhg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .kswemc
            Source: X5C9EzCB7A.dllStatic PE information: section name: .kaxfk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .pjf
            Source: X5C9EzCB7A.dllStatic PE information: section name: .favk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vhtukj
            Source: X5C9EzCB7A.dllStatic PE information: section name: .hmbyox
            Source: X5C9EzCB7A.dllStatic PE information: section name: .txms
            Source: X5C9EzCB7A.dllStatic PE information: section name: .vqqm
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cbwb
            Source: X5C9EzCB7A.dllStatic PE information: section name: .cti
            Source: X5C9EzCB7A.dllStatic PE information: section name: .ktfjac
            Source: X5C9EzCB7A.dllStatic PE information: section name: .hvmici
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bvyyd
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qhjn
            Source: X5C9EzCB7A.dllStatic PE information: section name: .bsvkca
            Source: X5C9EzCB7A.dllStatic PE information: section name: .nvpgx
            Source: X5C9EzCB7A.dllStatic PE information: section name: .yaa
            Source: X5C9EzCB7A.dllStatic PE information: section name: .qsimby
            Source: X5C9EzCB7A.dllStatic PE information: section name: .dibg
            Source: X5C9EzCB7A.dllStatic PE information: section name: .odxfk
            Source: X5C9EzCB7A.dllStatic PE information: section name: .zczpdd
            Source: X5C9EzCB7A.dllStatic PE information: section name: .iceycz
            Source: X5C9EzCB7A.dllStatic PE information: section name: .lwp
            Source: X5C9EzCB7A.dllStatic PE information: section name: .ejt
            Source: X5C9EzCB7A.dllStatic PE information: section name: .gzpi
            Source: X5C9EzCB7A.dllStatic PE information: section name: .oima
            Source: wermgr.exe.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe.4.drStatic PE information: section name: .didat
            Source: WFS.exe.4.drStatic PE information: section name: .didat
            Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
            Source: SndVol.exe.4.drStatic PE information: section name: .didat
            Source: wlrmdr.exe.4.drStatic PE information: section name: .imrsiv
            Source: ProximityUxHost.exe.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe0.4.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe0.4.drStatic PE information: section name: .didat
            Source: LicensingUI.exe.4.drStatic PE information: section name: .imrsiv
            Source: wer.dll.4.drStatic PE information: section name: .qkm
            Source: wer.dll.4.drStatic PE information: section name: .cvjb
            Source: wer.dll.4.drStatic PE information: section name: .tlmkv
            Source: wer.dll.4.drStatic PE information: section name: .wucsxe
            Source: wer.dll.4.drStatic PE information: section name: .fltwtj
            Source: wer.dll.4.drStatic PE information: section name: .sfplio
            Source: wer.dll.4.drStatic PE information: section name: .rpg
            Source: wer.dll.4.drStatic PE information: section name: .bewzc
            Source: wer.dll.4.drStatic PE information: section name: .vksvaw
            Source: wer.dll.4.drStatic PE information: section name: .wmhg
            Source: wer.dll.4.drStatic PE information: section name: .kswemc
            Source: wer.dll.4.drStatic PE information: section name: .kaxfk
            Source: wer.dll.4.drStatic PE information: section name: .pjf
            Source: wer.dll.4.drStatic PE information: section name: .favk
            Source: wer.dll.4.drStatic PE information: section name: .vhtukj
            Source: wer.dll.4.drStatic PE information: section name: .hmbyox
            Source: wer.dll.4.drStatic PE information: section name: .txms
            Source: wer.dll.4.drStatic PE information: section name: .vqqm
            Source: wer.dll.4.drStatic PE information: section name: .cbwb
            Source: wer.dll.4.drStatic PE information: section name: .cti
            Source: wer.dll.4.drStatic PE information: section name: .ktfjac
            Source: wer.dll.4.drStatic PE information: section name: .hvmici
            Source: wer.dll.4.drStatic PE information: section name: .bvyyd
            Source: wer.dll.4.drStatic PE information: section name: .qhjn
            Source: wer.dll.4.drStatic PE information: section name: .bsvkca
            Source: wer.dll.4.drStatic PE information: section name: .nvpgx
            Source: wer.dll.4.drStatic PE information: section name: .yaa
            Source: wer.dll.4.drStatic PE information: section name: .qsimby
            Source: wer.dll.4.drStatic PE information: section name: .dibg
            Source: wer.dll.4.drStatic PE information: section name: .odxfk
            Source: wer.dll.4.drStatic PE information: section name: .zczpdd
            Source: wer.dll.4.drStatic PE information: section name: .iceycz
            Source: wer.dll.4.drStatic PE information: section name: .lwp
            Source: wer.dll.4.drStatic PE information: section name: .ejt
            Source: wer.dll.4.drStatic PE information: section name: .gzpi
            Source: wer.dll.4.drStatic PE information: section name: .oima
            Source: wer.dll.4.drStatic PE information: section name: .akm
            Source: WINMM.dll.4.drStatic PE information: section name: .qkm
            Source: WINMM.dll.4.drStatic PE information: section name: .cvjb
            Source: WINMM.dll.4.drStatic PE information: section name: .tlmkv
            Source: WINMM.dll.4.drStatic PE information: section name: .wucsxe
            Source: WINMM.dll.4.drStatic PE information: section name: .fltwtj
            Source: WINMM.dll.4.drStatic PE information: section name: .sfplio
            Source: WINMM.dll.4.drStatic PE information: section name: .rpg
            Source: WINMM.dll.4.drStatic PE information: section name: .bewzc
            Source: WINMM.dll.4.drStatic PE information: section name: .vksvaw
            Source: WINMM.dll.4.drStatic PE information: section name: .wmhg
            Source: WINMM.dll.4.drStatic PE information: section name: .kswemc
            Source: WINMM.dll.4.drStatic PE information: section name: .kaxfk
            Source: WINMM.dll.4.drStatic PE information: section name: .pjf
            Source: WINMM.dll.4.drStatic PE information: section name: .favk
            Source: WINMM.dll.4.drStatic PE information: section name: .vhtukj
            Source: WINMM.dll.4.drStatic PE information: section name: .hmbyox
            Source: WINMM.dll.4.drStatic PE information: section name: .txms
            Source: WINMM.dll.4.drStatic PE information: section name: .vqqm
            Source: WINMM.dll.4.drStatic PE information: section name: .cbwb
            Source: WINMM.dll.4.drStatic PE information: section name: .cti
            Source: WINMM.dll.4.drStatic PE information: section name: .ktfjac
            Source: WINMM.dll.4.drStatic PE information: section name: .hvmici
            Source: WINMM.dll.4.drStatic PE information: section name: .bvyyd
            Source: WINMM.dll.4.drStatic PE information: section name: .qhjn
            Source: WINMM.dll.4.drStatic PE information: section name: .bsvkca
            Source: WINMM.dll.4.drStatic PE information: section name: .nvpgx
            Source: WINMM.dll.4.drStatic PE information: section name: .yaa
            Source: WINMM.dll.4.drStatic PE information: section name: .qsimby
            Source: WINMM.dll.4.drStatic PE information: section name: .dibg
            Source: WINMM.dll.4.drStatic PE information: section name: .odxfk
            Source: WINMM.dll.4.drStatic PE information: section name: .zczpdd
            Source: WINMM.dll.4.drStatic PE information: section name: .iceycz
            Source: WINMM.dll.4.drStatic PE information: section name: .lwp
            Source: WINMM.dll.4.drStatic PE information: section name: .ejt
            Source: WINMM.dll.4.drStatic PE information: section name: .gzpi
            Source: WINMM.dll.4.drStatic PE information: section name: .oima
            Source: WINMM.dll.4.drStatic PE information: section name: .saaaq
            Source: dpx.dll.4.drStatic PE information: section name: .qkm
            Source: dpx.dll.4.drStatic PE information: section name: .cvjb
            Source: dpx.dll.4.drStatic PE information: section name: .tlmkv
            Source: dpx.dll.4.drStatic PE information: section name: .wucsxe
            Source: dpx.dll.4.drStatic PE information: section name: .fltwtj
            Source: dpx.dll.4.drStatic PE information: section name: .sfplio
            Source: dpx.dll.4.drStatic PE information: section name: .rpg
            Source: dpx.dll.4.drStatic PE information: section name: .bewzc
            Source: dpx.dll.4.drStatic PE information: section name: .vksvaw
            Source: dpx.dll.4.drStatic PE information: section name: .wmhg
            Source: dpx.dll.4.drStatic PE information: section name: .kswemc
            Source: dpx.dll.4.drStatic PE information: section name: .kaxfk
            Source: dpx.dll.4.drStatic PE information: section name: .pjf
            Source: dpx.dll.4.drStatic PE information: section name: .favk
            Source: dpx.dll.4.drStatic PE information: section name: .vhtukj
            Source: dpx.dll.4.drStatic PE information: section name: .hmbyox
            Source: dpx.dll.4.drStatic PE information: section name: .txms
            Source: dpx.dll.4.drStatic PE information: section name: .vqqm
            Source: dpx.dll.4.drStatic PE information: section name: .cbwb
            Source: dpx.dll.4.drStatic PE information: section name: .cti
            Source: dpx.dll.4.drStatic PE information: section name: .ktfjac
            Source: dpx.dll.4.drStatic PE information: section name: .hvmici
            Source: dpx.dll.4.drStatic PE information: section name: .bvyyd
            Source: dpx.dll.4.drStatic PE information: section name: .qhjn
            Source: dpx.dll.4.drStatic PE information: section name: .bsvkca
            Source: dpx.dll.4.drStatic PE information: section name: .nvpgx
            Source: dpx.dll.4.drStatic PE information: section name: .yaa
            Source: dpx.dll.4.drStatic PE information: section name: .qsimby
            Source: dpx.dll.4.drStatic PE information: section name: .dibg
            Source: dpx.dll.4.drStatic PE information: section name: .odxfk
            Source: dpx.dll.4.drStatic PE information: section name: .zczpdd
            Source: dpx.dll.4.drStatic PE information: section name: .iceycz
            Source: dpx.dll.4.drStatic PE information: section name: .lwp
            Source: dpx.dll.4.drStatic PE information: section name: .ejt
            Source: dpx.dll.4.drStatic PE information: section name: .gzpi
            Source: dpx.dll.4.drStatic PE information: section name: .oima
            Source: dpx.dll.4.drStatic PE information: section name: .hmoki
            Source: UxTheme.dll.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll.4.drStatic PE information: section name: .pjf
            Source: UxTheme.dll.4.drStatic PE information: section name: .favk
            Source: UxTheme.dll.4.drStatic PE information: section name: .vhtukj
            Source: UxTheme.dll.4.drStatic PE information: section name: .hmbyox
            Source: UxTheme.dll.4.drStatic PE information: section name: .txms
            Source: UxTheme.dll.4.drStatic PE information: section name: .vqqm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cbwb
            Source: UxTheme.dll.4.drStatic PE information: section name: .cti
            Source: UxTheme.dll.4.drStatic PE information: section name: .ktfjac
            Source: UxTheme.dll.4.drStatic PE information: section name: .hvmici
            Source: UxTheme.dll.4.drStatic PE information: section name: .bvyyd
            Source: UxTheme.dll.4.drStatic PE information: section name: .qhjn
            Source: UxTheme.dll.4.drStatic PE information: section name: .bsvkca
            Source: UxTheme.dll.4.drStatic PE information: section name: .nvpgx
            Source: UxTheme.dll.4.drStatic PE information: section name: .yaa
            Source: UxTheme.dll.4.drStatic PE information: section name: .qsimby
            Source: UxTheme.dll.4.drStatic PE information: section name: .dibg
            Source: UxTheme.dll.4.drStatic PE information: section name: .odxfk
            Source: UxTheme.dll.4.drStatic PE information: section name: .zczpdd
            Source: UxTheme.dll.4.drStatic PE information: section name: .iceycz
            Source: UxTheme.dll.4.drStatic PE information: section name: .lwp
            Source: UxTheme.dll.4.drStatic PE information: section name: .ejt
            Source: UxTheme.dll.4.drStatic PE information: section name: .gzpi
            Source: UxTheme.dll.4.drStatic PE information: section name: .oima
            Source: UxTheme.dll.4.drStatic PE information: section name: .sbt
            Source: DUI70.dll.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll.4.drStatic PE information: section name: .favk
            Source: DUI70.dll.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll.4.drStatic PE information: section name: .txms
            Source: DUI70.dll.4.drStatic PE information: section name: .vqqm
            Source: DUI70.dll.4.drStatic PE information: section name: .cbwb
            Source: DUI70.dll.4.drStatic PE information: section name: .cti
            Source: DUI70.dll.4.drStatic PE information: section name: .ktfjac
            Source: DUI70.dll.4.drStatic PE information: section name: .hvmici
            Source: DUI70.dll.4.drStatic PE information: section name: .bvyyd
            Source: DUI70.dll.4.drStatic PE information: section name: .qhjn
            Source: DUI70.dll.4.drStatic PE information: section name: .bsvkca
            Source: DUI70.dll.4.drStatic PE information: section name: .nvpgx
            Source: DUI70.dll.4.drStatic PE information: section name: .yaa
            Source: DUI70.dll.4.drStatic PE information: section name: .qsimby
            Source: DUI70.dll.4.drStatic PE information: section name: .dibg
            Source: DUI70.dll.4.drStatic PE information: section name: .odxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .zczpdd
            Source: DUI70.dll.4.drStatic PE information: section name: .iceycz
            Source: DUI70.dll.4.drStatic PE information: section name: .lwp
            Source: DUI70.dll.4.drStatic PE information: section name: .ejt
            Source: DUI70.dll.4.drStatic PE information: section name: .gzpi
            Source: DUI70.dll.4.drStatic PE information: section name: .oima
            Source: DUI70.dll.4.drStatic PE information: section name: .iokrmu
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .pjf
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .favk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vhtukj
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hmbyox
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .txms
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .vqqm
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cbwb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cti
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ktfjac
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hvmici
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bvyyd
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qhjn
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bsvkca
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .nvpgx
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .yaa
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qsimby
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .dibg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .odxfk
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .zczpdd
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .iceycz
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .lwp
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ejt
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .gzpi
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .oima
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .bxvwc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll0.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .pjf
            Source: UxTheme.dll0.4.drStatic PE information: section name: .favk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vhtukj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .hmbyox
            Source: UxTheme.dll0.4.drStatic PE information: section name: .txms
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vqqm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cbwb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cti
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ktfjac
            Source: UxTheme.dll0.4.drStatic PE information: section name: .hvmici
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bvyyd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qhjn
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bsvkca
            Source: UxTheme.dll0.4.drStatic PE information: section name: .nvpgx
            Source: UxTheme.dll0.4.drStatic PE information: section name: .yaa
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qsimby
            Source: UxTheme.dll0.4.drStatic PE information: section name: .dibg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .odxfk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .zczpdd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .iceycz
            Source: UxTheme.dll0.4.drStatic PE information: section name: .lwp
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ejt
            Source: UxTheme.dll0.4.drStatic PE information: section name: .gzpi
            Source: UxTheme.dll0.4.drStatic PE information: section name: .oima
            Source: UxTheme.dll0.4.drStatic PE information: section name: .zpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .pjf
            Source: DUI70.dll0.4.drStatic PE information: section name: .favk
            Source: DUI70.dll0.4.drStatic PE information: section name: .vhtukj
            Source: DUI70.dll0.4.drStatic PE information: section name: .hmbyox
            Source: DUI70.dll0.4.drStatic PE information: section name: .txms
            Source: DUI70.dll0.4.drStatic PE information: section name: .vqqm
            Source: DUI70.dll0.4.drStatic PE information: section name: .cbwb
            Source: DUI70.dll0.4.drStatic PE information: section name: .cti
            Source: DUI70.dll0.4.drStatic PE information: section name: .ktfjac
            Source: DUI70.dll0.4.drStatic PE information: section name: .hvmici
            Source: DUI70.dll0.4.drStatic PE information: section name: .bvyyd
            Source: DUI70.dll0.4.drStatic PE information: section name: .qhjn
            Source: DUI70.dll0.4.drStatic PE information: section name: .bsvkca
            Source: DUI70.dll0.4.drStatic PE information: section name: .nvpgx
            Source: DUI70.dll0.4.drStatic PE information: section name: .yaa
            Source: DUI70.dll0.4.drStatic PE information: section name: .qsimby
            Source: DUI70.dll0.4.drStatic PE information: section name: .dibg
            Source: DUI70.dll0.4.drStatic PE information: section name: .odxfk
            Source: DUI70.dll0.4.drStatic PE information: section name: .zczpdd
            Source: DUI70.dll0.4.drStatic PE information: section name: .iceycz
            Source: DUI70.dll0.4.drStatic PE information: section name: .lwp
            Source: DUI70.dll0.4.drStatic PE information: section name: .ejt
            Source: DUI70.dll0.4.drStatic PE information: section name: .gzpi
            Source: DUI70.dll0.4.drStatic PE information: section name: .oima
            Source: DUI70.dll0.4.drStatic PE information: section name: .cltwqt
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.4.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.4.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.4.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.4.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.4.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.4.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.4.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .pjf
            Source: XmlLite.dll.4.drStatic PE information: section name: .favk
            Source: XmlLite.dll.4.drStatic PE information: section name: .vhtukj
            Source: XmlLite.dll.4.drStatic PE information: section name: .hmbyox
            Source: XmlLite.dll.4.drStatic PE information: section name: .txms
            Source: XmlLite.dll.4.drStatic PE information: section name: .vqqm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cbwb
            Source: XmlLite.dll.4.drStatic PE information: section name: .cti
            Source: XmlLite.dll.4.drStatic PE information: section name: .ktfjac
            Source: XmlLite.dll.4.drStatic PE information: section name: .hvmici
            Source: XmlLite.dll.4.drStatic PE information: section name: .bvyyd
            Source: XmlLite.dll.4.drStatic PE information: section name: .qhjn
            Source: XmlLite.dll.4.drStatic PE information: section name: .bsvkca
            Source: XmlLite.dll.4.drStatic PE information: section name: .nvpgx
            Source: XmlLite.dll.4.drStatic PE information: section name: .yaa
            Source: XmlLite.dll.4.drStatic PE information: section name: .qsimby
            Source: XmlLite.dll.4.drStatic PE information: section name: .dibg
            Source: XmlLite.dll.4.drStatic PE information: section name: .odxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .zczpdd
            Source: XmlLite.dll.4.drStatic PE information: section name: .iceycz
            Source: XmlLite.dll.4.drStatic PE information: section name: .lwp
            Source: XmlLite.dll.4.drStatic PE information: section name: .ejt
            Source: XmlLite.dll.4.drStatic PE information: section name: .gzpi
            Source: XmlLite.dll.4.drStatic PE information: section name: .oima
            Source: XmlLite.dll.4.drStatic PE information: section name: .yhjpr
            Source: MFC42u.dll.4.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.4.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.4.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.4.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.4.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.4.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.4.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.4.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.4.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.4.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.4.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .pjf
            Source: MFC42u.dll.4.drStatic PE information: section name: .favk
            Source: MFC42u.dll.4.drStatic PE information: section name: .vhtukj
            Source: MFC42u.dll.4.drStatic PE information: section name: .hmbyox
            Source: MFC42u.dll.4.drStatic PE information: section name: .txms
            Source: MFC42u.dll.4.drStatic PE information: section name: .vqqm
            Source: MFC42u.dll.4.drStatic PE information: section name: .cbwb
            Source: MFC42u.dll.4.drStatic PE information: section name: .cti
            Source: MFC42u.dll.4.drStatic PE information: section name: .ktfjac
            Source: MFC42u.dll.4.drStatic PE information: section name: .hvmici
            Source: MFC42u.dll.4.drStatic PE information: section name: .bvyyd
            Source: MFC42u.dll.4.drStatic PE information: section name: .qhjn
            Source: MFC42u.dll.4.drStatic PE information: section name: .bsvkca
            Source: MFC42u.dll.4.drStatic PE information: section name: .nvpgx
            Source: MFC42u.dll.4.drStatic PE information: section name: .yaa
            Source: MFC42u.dll.4.drStatic PE information: section name: .qsimby
            Source: MFC42u.dll.4.drStatic PE information: section name: .dibg
            Source: MFC42u.dll.4.drStatic PE information: section name: .odxfk
            Source: MFC42u.dll.4.drStatic PE information: section name: .zczpdd
            Source: MFC42u.dll.4.drStatic PE information: section name: .iceycz
            Source: MFC42u.dll.4.drStatic PE information: section name: .lwp
            Source: MFC42u.dll.4.drStatic PE information: section name: .ejt
            Source: MFC42u.dll.4.drStatic PE information: section name: .gzpi
            Source: MFC42u.dll.4.drStatic PE information: section name: .oima
            Source: MFC42u.dll.4.drStatic PE information: section name: .hpnemo
            Source: VERSION.dll.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.4.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.4.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.4.drStatic PE information: section name: .rpg
            Source: VERSION.dll.4.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.4.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.4.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.4.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.4.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .pjf
            Source: VERSION.dll.4.drStatic PE information: section name: .favk
            Source: VERSION.dll.4.drStatic PE information: section name: .vhtukj
            Source: VERSION.dll.4.drStatic PE information: section name: .hmbyox
            Source: VERSION.dll.4.drStatic PE information: section name: .txms
            Source: VERSION.dll.4.drStatic PE information: section name: .vqqm
            Source: VERSION.dll.4.drStatic PE information: section name: .cbwb
            Source: VERSION.dll.4.drStatic PE information: section name: .cti
            Source: VERSION.dll.4.drStatic PE information: section name: .ktfjac
            Source: VERSION.dll.4.drStatic PE information: section name: .hvmici
            Source: VERSION.dll.4.drStatic PE information: section name: .bvyyd
            Source: VERSION.dll.4.drStatic PE information: section name: .qhjn
            Source: VERSION.dll.4.drStatic PE information: section name: .bsvkca
            Source: VERSION.dll.4.drStatic PE information: section name: .nvpgx
            Source: VERSION.dll.4.drStatic PE information: section name: .yaa
            Source: VERSION.dll.4.drStatic PE information: section name: .qsimby
            Source: VERSION.dll.4.drStatic PE information: section name: .dibg
            Source: VERSION.dll.4.drStatic PE information: section name: .odxfk
            Source: VERSION.dll.4.drStatic PE information: section name: .zczpdd
            Source: VERSION.dll.4.drStatic PE information: section name: .iceycz
            Source: VERSION.dll.4.drStatic PE information: section name: .lwp
            Source: VERSION.dll.4.drStatic PE information: section name: .ejt
            Source: VERSION.dll.4.drStatic PE information: section name: .gzpi
            Source: VERSION.dll.4.drStatic PE information: section name: .oima
            Source: VERSION.dll.4.drStatic PE information: section name: .wgfpbw
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qkm
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cvjb
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .tlmkv
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .wucsxe
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .fltwtj
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .sfplio
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .rpg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bewzc
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vksvaw
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .wmhg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .kswemc
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .kaxfk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .pjf
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .favk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vhtukj
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .hmbyox
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .txms
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vqqm
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cbwb
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cti
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ktfjac
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .hvmici
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bvyyd
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qhjn
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bsvkca
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .nvpgx
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .yaa
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qsimby
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .dibg
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .odxfk
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .zczpdd
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .iceycz
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .lwp
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ejt
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .gzpi
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .oima
            Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ajokiy
            Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,
            Source: ACTIVEDS.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2158d9
            Source: WTSAPI32.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20a536
            Source: DUI70.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x256371
            Source: UxTheme.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x207aff
            Source: wer.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2121a1
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20c257
            Source: VERSION.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x21343c
            Source: DUI70.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x256c7c
            Source: WINMM.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2111d5
            Source: X5C9EzCB7A.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x207a12
            Source: dpx.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20f2f8
            Source: UxTheme.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20c755
            Source: MFC42u.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x21abc9
            Source: wermgr.exe.4.drStatic PE information: 0xA7D9A170 [Fri Mar 28 06:15:12 2059 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.59477523886

            Persistence and Installation Behavior:

            barindex
            Windows Update Standalone Installer command line found (may be used to bypass UAC)Show sources
            Source: wusa.exe, 00000028.00000000.367767741.00007FF6EE207000.00000002.00020000.sdmpMemory string: DWS;zWusaHiddenFailed to allocate and initialize Administrators group SID.WusaIsUserAdminFailed to check token membership.Failed to get message text for id %uWusaLoadMessageWusaMessageBoxFailed: TaskDialog()Failed to get message for error 0x%xWusaGetErrorMessageWusaCreateLockFileFailed to allocate memory for lock file path.Failed to create lock file %SFailed: GetFullPathName() failed for %SWusaGetFullPathNameFailed to allocate memory for full path.Failed to create extract job for location: %SWusaExtractAllFilesFromCabinetFailed to add container for cabinet: %SFailed: ExtractAllFiles()Failed to extract files from cabinet %SFailed: LookupPrivilegeValue()EnablePrivilegeFailed: OpenProcessToken()Failed: AdjustTokenPrivileges()Failed: AdjustTokenPrivileges(); not all token privileges were assignedFailed: GetTokenInformation()WusaGetUserSIDFailed: CopySid()Failed to PostMessage to progress window, error code %uWusaPostMessagewusa.lockFailed to create eventAppModule::InitFailed to initialize COM securityFailed to initialize critical sectionFailed to show welcome dialogFailed to show non administrator dialogUser is not a member of the Administrators group.Failed to show multiple instance dialogError: Another instance of wusa.exe is running.Failed to create sandboxCreated sandbox %lsFailed: AppModule::SetScanCabPath()Failed to get application title text, id %uFailed to allocate BSTR for application titleFailure returned by InitCommonControlsEx()Failure returned by CreateFont()Failed to get STR_EXPAND_START textFailed to get STR_EXPAND_START_UNINSTALL textFailed to get STR_SEARCH_START textFailed to get STR_COPY_START textFailed to get STR_UNINSTALL_START textFailed to set done event to release shutdown blockAppModule::UninitDeleting sandbox %SAppModule::DeleteSandBoxFailed to delete sandboxCommandLineToArgvW() failed.AppModule::ParseCommandLineError: Too few arguments.Failed to get command line length.Failed to allocate memory for ignored arguments.Failed. Restart mode was supplied multiple times30Failed to parse switchFailed. /warnrestart has invalid formatFailed. /kb was supplied multiple timesFailed. /kb has invalid formatKBFailed to prefix KB numberFailed. /log was supplied multiple timesFailed. /gpmode was supplied multiple timesFailed. /gpmode has invalid formatFailed to allocate memory for product codeFailed to set product code to %lsFailed to add an argument to the ignored list Failed to add a blank space to the ignored argument listUnrecognized argument %SFailed to get MSU file nameFailed to get MSU file name or KB numberFailed: /uninstall with /kb and /quiet options is not supportedFailed to show /extract not supported message boxFailed: /extract is not a supported optionCommand line is %lsFailed to get source lengthAppModule::CopyStringWithQuoteFailed to allocate temp buffer"%s"Failed to copy stringFailure returned by SystemParametersInfo()AppModule::CreateFontWFailure returned by CreateFontIndirectW()Failure returned by DeleteObject()Failure r
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0Nty\recdisc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2vl\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.ExeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4DETSU\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\gxzS7\credui.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nom\mblctr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\8FwY\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\8FwY\wusa.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Bun\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LnjKLu\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Mnd\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QEkvVts\WFS.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\h1G\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\gxzS7\perfmon.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iU8z5\wermgr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QEkvVts\WINMM.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Mnd\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nom\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\byYs\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\B8nn\Dxpserver.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\iU8z5\wer.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\byYs\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\M5A\wer.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\M5A\wermgr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2vl\LicensingUI.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C74CD4 FindWindowW,#2906,SetForegroundWindow,SendMessageW,GetCommandLineW,memset,IsWindowVisible,#4124,GetLastError,SetForegroundWindow,SendMessageW,#6610,GetLastError,#6632,IsWindowVisible,PostMessageW,GetLastActivePopup,#2906,IsIconic,#6632,SetForegroundWindow,PostMessageW,PostMessageW,PostMessageW,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll64.exe TID: 5420Thread sleep time: -60000s >= -30000s
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\recdisc.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.ExeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\slui.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Nom\mblctr.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\h1G\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\gxzS7\perfmon.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Mnd\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\0Nty\ReAgent.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\B8nn\Dxpserver.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\byYs\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\2vl\LicensingUI.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF740977CE0h
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097BE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C871B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CA30D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C7F0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CB89BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C85B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F1BC0 memset,memset,CoInitializeEx,FindFirstFileW,GetLastError,lstrcmpiW,FindNextFileW,GetLastError,GetCommandLineW,EventWrite,FindClose,CoUninitialize,LocalFree,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE1F8D04 memset,memset,memset,FindFirstFileW,GetLastError,lstrcmpW,lstrcmpW,DeleteFileW,GetLastError,MoveFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,GetLastError,LocalFree,
            Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000004.00000000.273225971.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: explorer.exe, 00000004.00000000.265986163.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
            Source: explorer.exe, 00000004.00000000.257633536.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000004.00000000.268458783.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
            Source: explorer.exe, 00000004.00000000.298268024.0000000008C73000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF7409749DC GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C84858 LoadLibraryW,GetProcAddress,FreeLibrary,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740976BC0 WaitForSingleObjectEx,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740983140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740982B00 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD48F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CD4CF0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE206AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeCode function: 40_2_00007FF6EE206830 SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: wer.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read
            Source: C:\Windows\System32\loaddll64.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAE1CEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAE1CE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: unknown base: 7FFFAC2B2A20 protect: page execute and read and write
            DLL side loading technique detectedShow sources
            Source: C:\Windows\explorer.exeSection loaded: C:\Windows\System32\wer.dll
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\loaddll64.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\loaddll64.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5CBD58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle,
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF74097AE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle,
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740981750 AllocateAndInitializeSid,CheckTokenMembership,RegOpenKeyExW,RegCloseKey,FreeSid,
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000004.00000000.306969877.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000004.00000000.263442469.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
            Source: explorer.exe, 00000004.00000000.297757063.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\8FwY\wusa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\M5A\wermgr.exeCode function: 31_2_00007FF740977BC4 GetSystemTimeAsFileTime,RegSetValueExW,GetLastError,RegCloseKey,
            Source: C:\Users\user\AppData\Local\QEkvVts\WFS.exeCode function: 34_2_00007FF7D5C748FC GetVersion,#1441,LoadIconW,GetLastError,#1471,PostMessageW,ShellAboutW,#1471,#337,#626,memset,memset,#1471,PostMessageW,#1471,#1443,#2517,#1040,#852,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2Command and Scripting Interpreter12Valid Accounts2Valid Accounts2Masquerading1OS Credential DumpingSystem Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Windows Service1Access Token Manipulation21Valid Accounts2LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1DLL Side-Loading1Windows Service1Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Access Token Manipulation21NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1Process Injection312LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery35Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing2/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronDLL Side-Loading1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492086 Sample: X5C9EzCB7A Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 signatures4 54 Changes memory attributes in foreign processes to executable or writable 8->54 56 Uses Atom Bombing / ProGate to inject into other processes 8->56 58 Queues an APC in another process (thread injection) 8->58 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 14 other processes 8->18 process5 signatures6 60 Changes memory attributes in foreign processes to executable or writable 11->60 62 Uses Atom Bombing / ProGate to inject into other processes 11->62 20 explorer.exe 2 97 11->20 injected 24 rundll32.exe 16->24         started        process7 file8 34 C:\Users\user\AppData\Local\...\SLC.dll, PE32+ 20->34 dropped 36 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 20->36 dropped 38 C:\Users\user\AppData\Local\...\WINMM.dll, PE32+ 20->38 dropped 40 41 other files (9 malicious) 20->40 dropped 50 Benign windows process drops PE files 20->50 52 DLL side loading technique detected 20->52 26 wermgr.exe 20->26         started        28 wermgr.exe 20->28         started        30 WFS.exe 20->30         started        32 3 other processes 20->32 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            X5C9EzCB7A.dll65%VirustotalBrowse
            X5C9EzCB7A.dll57%MetadefenderBrowse
            X5C9EzCB7A.dll76%ReversingLabsWin64.Infostealer.Dridex
            X5C9EzCB7A.dll100%AviraHEUR/AGEN.1114452
            X5C9EzCB7A.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\8FwY\dpx.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\0Nty\ReAgent.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\M5A\wer.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\B8nn\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\QEkvVts\WINMM.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Nom\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\8FwY\dpx.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\0Nty\ReAgent.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\M5A\wer.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\B8nn\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\4DETSU\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Mnd\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2vl\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\QEkvVts\WINMM.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Nom\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\0Nty\recdisc.exe0%ReversingLabs
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\2vl\LicensingUI.exe0%ReversingLabs
            C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            31.2.wermgr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            14.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            29.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            40.2.wusa.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            23.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.WFS.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            35.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            25.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.268276705.0000000006870000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:492086
              Start date:28.09.2021
              Start time:10:48:48
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 15m 46s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:X5C9EzCB7A (renamed file extension from none to dll)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:40
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@91/45@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 45.6% (good quality ratio 43.1%)
              • Quality average: 91.3%
              • Quality standard deviation: 25.6%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.50.102.62, 209.197.3.8, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 131.253.33.200, 13.107.22.200, 20.82.210.154
              • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\0Nty\ReAgent.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.564329528703889
              Encrypted:false
              SSDEEP:12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0F2CD68909E4CA4CB2925A2D530E611D
              SHA1:C797BFE2EB15E848B6F88E55873C03656F2399F1
              SHA-256:8E807BDF55D7676C4D761950196962D65D9202DE71C74542CA46C30DF3EA85C8
              SHA-512:0CEF9556A0802A23CEE42E76E2A749A7530E7B72F5F1E64462AEF6B9C5ADA48E02353910A2820CB7A64D72763A16094B0AB73335997BEEA8F77C19691F78073D
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\0Nty\recdisc.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):192512
              Entropy (8bit):6.154101271794163
              Encrypted:false
              SSDEEP:3072:H4SpDkUbgEHxW3BIovAuegPO8evTq2VC:H4/3BdFegEv+2V
              MD5:D2AEFB37C329E455DC2C17D3AA049666
              SHA1:69C5182FDC8A86009113EE721C8F1632F7B3D2DB
              SHA-256:A65F86E8EC62BEB3019E368E506DAB21FF872097EBF3FAEB4A3B23F2A08DFCE9
              SHA-512:DD5D63D79FD9E43560291687E0B41B71D6ECA55F033FE94BAA4FAF4CB967F6480CAC4F5481B3102F0589A65AFA473F5637B1C31C522329A275461F3D8C4353A3
              Malicious:false
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e_...1...1...1..|....1..`5...1..`2...1..`4...1..`0...1...0...1..`8...1..`...1..`3...1.Rich..1.................PE..d...+38..........."............................@.............................@............`.......... .......................................|....... ..0....................0......0m..T....................9..(....8...............9...............................text............................... ..`.rdata...f...0...h..................@..@.data...`a.......Z..................@....pdata..............................@..@.rsrc...0.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\2vl\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.094137841436053
              Encrypted:false
              SSDEEP:12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1T:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B6247D6791F82E58D5D33122BD0F7C54
              SHA1:CC03732CEC968973E9F1AF26AFBEEB5D0F55FC3F
              SHA-256:7AD71B0114C68798E5B61F406FCEDEA1F12F3BD2C70EDC0C35C35A4EADAF9F7C
              SHA-512:889B7AD402B8A162EC9C277BD08F227AEE9AB566B28721964F38A50D8A1DADA3FC4F99ECF361167586B4269D935BFD6A2A8465FDE6514E95F08528016CE268D9
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\2vl\LicensingUI.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):146776
              Entropy (8bit):6.610587238297347
              Encrypted:false
              SSDEEP:3072:bjUURMlqPDQJX08E16Oa1bwcdnaevk2i2tMZd:39ilq7AxE4OaR1aymv
              MD5:BA2B32F8E3717F4A9CA3D400410E539A
              SHA1:87FFA0CBBE8B528E2263EE7121264011D1F5C5A4
              SHA-256:EC53F4520A49115D6E6CEE8CF896BCCA84E425BFB76E3FA904665F2A2F957BC8
              SHA-512:FC5DA9B26C395CA2191C4FDC0F06F37D75D67404D49C38EF75189ACC0817D02CED290559848C687DD74DD33F62DC36F1AD15A017E4977014CFE83025D22F596A
              Malicious:false
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5T..[...[...[......[...X...[..._...[...^...[...Z...[...Z...[...R...[.......[...Y...[.Rich..[.........................PE..d......Y.........."..........x................@.............................p......9................ ...............................................P..H....@..@.......X'...`..P.......T.......................(....................................................text...,........................... ..`.imrsiv..................................rdata..rV.......X..................@..@.data........0......................@....pdata..@....@......................@..@.rsrc...H....P......................@..@.reloc..P....`......................@..B................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\4DETSU\FXSCOVER.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):232960
              Entropy (8bit):5.805361894084464
              Encrypted:false
              SSDEEP:6144:v4J/ihC4Tb5//JfI+QL+ooODUwq306Q/:v4khC4h/qiooT06Q/
              MD5:BEAB16FEFCB7F62BBC135FB87DF7FDF2
              SHA1:EAF18190494496329573CAA3F95CACA6EF0FB6F6
              SHA-256:E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
              SHA-512:FF4E756B1D928C97523ADE2B30FAB56219659AA22E7F5D71CB3238A2C39E1C704C6A046C2DC14FA5207CE8E8C75CD7EF5416B36A1452D97D929A5686C75D2C83
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).I.H...H...H...,...H...,...H...,...H...,...H...H...K...,...H...,...H...,...H..Rich.H..................PE..d.....3..........."............................@.....................................0....`.......... ..................................................h1...`..........................T....................c..(....b...............d...............................text...~........................... ..`.rdata....... ......................@..@.data........@.......&..............@....pdata.......`.......6..............@..@.rsrc...h1.......2...N..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\4DETSU\MFC42u.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2146304
              Entropy (8bit):3.60023617437132
              Encrypted:false
              SSDEEP:12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1K47:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnbK
              MD5:44E6F4AE82E198545E40858C95CB304A
              SHA1:64799A505F32C595AB858A3F0DA66C69CC9C19DE
              SHA-256:A469E652E33BA0D7E248176ABCB460912B7EF9AFEE0B976D6ADB0BB26601D353
              SHA-512:B042C71C2B6DF38EF60A6371610699A5EBA0CE85CF5E894E82F3F3B352FC4D61E78BD1B3BC0E06768BBAA1CCA8B4A52AD2B2A8B801B6E6054A840509EB9B44B3
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." ................p..........@.............................. .....@lx}..b..........................................P ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\8FwY\dpx.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5583371704739357
              Encrypted:false
              SSDEEP:12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:84A402DFBA64739AF98A797BFF68AB60
              SHA1:C5734661A0BA49350157E021989BDB768178E607
              SHA-256:6AC1496F60796CA15B0DBB61A0C2D81D6CD406B4A273BC2E036EE2CC94C7A333
              SHA-512:127438FE3F4D1570234EC12CBA62994CBB5ED94D5519BAE69E9A993E59C58FC91FA6C6F97CA24E2320F94AF0481F039652926E5F0B8276F1B798C8D104BB7D53
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\8FwY\wusa.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):308736
              Entropy (8bit):6.55894801361276
              Encrypted:false
              SSDEEP:6144:TozDd3UafMCFoMVclxM8cVM49UApxyN90vE:ToXd33MCFoqSxM5MmUAy90
              MD5:04CE745559916B99248F266BBF5F9ED9
              SHA1:76FA00103A89C735573D1D8946D8787A839475B6
              SHA-256:1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195
              SHA-512:B4D2EF6B90164E17258F53BCAF954076D02EDB7F496F4F79B2CF7848B90614F6160C8EB008BA5904521DD8B1449840B2D7EE368860E58E01FBEAB9873B654B3A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..-..~..~..~v./~}.~....}.~....i.~....{.~....d.~..~w.~....k.~..C~~.~....~.~Rich..~................PE..d.....TS.........."......`...X.......f.........@....................................g.....`.......... .......................................I...........T...p..................`....?..T...................Pq..(...Pp..............xq..@............................text...3^.......`.................. ..`.rdata..^....p.......d..............@..@.data........`.......T..............@....pdata.......p.......X..............@..@.rsrc....T.......V...^..............@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\9Krbbc\ACTIVEDS.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5609800893226784
              Encrypted:false
              SSDEEP:12288:XVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:efP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:2A0973FA588371BB4A19B6CC0C7E00ED
              SHA1:B441B28BA295D9223EEB4CCC6660177EEA7FEED7
              SHA-256:C063B7251B7AB553053CFCCE861C04C285D08830127403E2D0C888A48F71453D
              SHA-512:548B9DB967268DD17727AABD4A7A2A739236D4674C76A13D78C0ADAA4F74EBFDE7A0D755A0D2CA3B1559C9EB68EF24C3124363687FF8D33F806E8F3B67DCC5E5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\9Krbbc\SppExtComObj.Exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):577024
              Entropy (8bit):7.365924302927238
              Encrypted:false
              SSDEEP:12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
              MD5:809E11DECADAEBE2454EFEDD620C4769
              SHA1:A121B9FC2010247C65CE8975FE4D88F5E9AC953E
              SHA-256:8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
              SHA-512:F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\B8nn\Dxpserver.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):304640
              Entropy (8bit):5.920357039114308
              Encrypted:false
              SSDEEP:6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
              MD5:DCCB1D350193BE0A26CEAFF602DB848E
              SHA1:02673E7070A589B5BF6F217558A06067B388A350
              SHA-256:367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
              SHA-512:ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....|.N...L.|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\B8nn\XmlLite.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5589287422510516
              Encrypted:false
              SSDEEP:12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:CF749BC5C2122F394AF6B2AA66EF71CD
              SHA1:0369F942C144F4B33B596FD0EBB58F71B2F6D26B
              SHA-256:14375D79237DA8A731ED43252FBFC4B53EED438945A2097C14FB4160EFAA2D73
              SHA-512:97E95B61EBAE640C6C8752859093671B81C7F49DBCE10035D956EB147A207D4390F767472CFE9CE710B611E63CBE9F484D135496AFE6B34DD4C954118A5B98C6
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Bun\DevicePairingWizard.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):92160
              Entropy (8bit):5.664138088677901
              Encrypted:false
              SSDEEP:1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3
              MD5:E23643C785D498FF73B5C9D7EA173C3D
              SHA1:56296F1D29FC2DCBFAA1D991C87B10968C6D3882
              SHA-256:40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
              SHA-512:22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a...h...o......b......r......i......j...a..........c.....j.`......`...Richa...................PE..d...x.1".........."......\...........b.........@.....................................H....`.......... ..............................................................................|..T...........................`r..............`s..8............................text....[.......\.................. ..`.rdata...-...p.......`..............@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Bun\MFC42u.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2146304
              Entropy (8bit):3.5999443255720154
              Encrypted:false
              SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B8583BCD3646915D6FA965A033928155
              SHA1:A8A80A042BFB3F23980F78B5695411BE670C1DC0
              SHA-256:13BC74B3E5A8341A886C3C0F444783F611803D73BAA20202F18340FA5E48CA0D
              SHA-512:243E32A0A7FA8278CFD8EB838A8C6BB240043F21CAD1E33D20DA54CF2E3E3A5899BF45A23E6D4A7E1D7F2FADA7016E5F22AE9FE5A2D42651BD243C5EA16A68AB
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." ................p..........@.............................. .....@lx}..b..........................................P ..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\LnjKLu\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.094232719670622
              Encrypted:false
              SSDEEP:12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1bT:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:BA00B1255006B5B8A6F65DC6D2A59DAE
              SHA1:8CEC4C49EDF68431C794817D93C0FFCE933B4E2B
              SHA-256:095A00A6D3B5FDF367B389858F6F7CE9ED2483D26B878681DEEE96CE6F9EB1E6
              SHA-512:051D058BCBF12614CB08E393FEB4E938AC21A7EA4098157394BB962E4DA01EBD1C00DB28F0A51A17F439B5B62A415569B3B417DD1BDED5D702CC141A5E86BB1A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\LnjKLu\ProximityUxHost.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):264480
              Entropy (8bit):6.478365286411354
              Encrypted:false
              SSDEEP:6144:xSt+s2GFGbqEuzhJONjx9UVuCuHpwqr/vt9r+ULJBaBpcIFz:xStzFGbGhoPgMHpwqrHthUB6IF
              MD5:E7F0E9B3779E54CD271959C600A2A531
              SHA1:8006E2D1AA91798E48D8BFDE1EBF94A2D6BA6C0A
              SHA-256:155CE33E0E145314FE9D8911BE69B8CBBD2AC09B7B6D98363F9BAA277C71954E
              SHA-512:E10C3FD9C5F34260323CEC9E8EEDF2290F40254F0FFDCA582DB57D113B32871793CDFFF03D55941EF5E79FA8141803AB353BA4938357A4555233F2D090045338
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B..K.`.&..-..A..-...U..-...K..-..U..B..t..-...]..-...C..-..C..RichB..........PE..d...;.*Q.........."............................@............................. ......&................ ..................................................H.......T....... +..........Pa..T...................p3..(...p2...............3...............................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...x...........................@....pdata..T...........................@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\M5A\wer.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.5693057153343792
              Encrypted:false
              SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:5F5B4F0BE7EDE9E5A344DF47CE0CDB88
              SHA1:25DA7FA0704227C2CA6F0F54EF5C73DF862198B2
              SHA-256:B582E1DF3773DD2B0345F7CFD286B8F8B18975849320C1EE87D827AB590CAA82
              SHA-512:7DB53F0BAE6E8E5F1499512097A6CBED579B98973A555AC5C590E720CA30FA241D7EC63FFDF565B5B8000127172EF21B110DCEEF3FFF7FDA3DB977C4ABF26F68
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\M5A\wermgr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):209312
              Entropy (8bit):6.796289498157116
              Encrypted:false
              SSDEEP:6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
              MD5:FF214585BF10206E21EA8EBA202FACFD
              SHA1:1ED4AE92D235497F62610078D51105C4634AFADE
              SHA-256:C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
              SHA-512:24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................
              C:\Users\user\AppData\Local\Mnd\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.559794578495645
              Encrypted:false
              SSDEEP:12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:1AE7DB0FD99F869562057B3685B4419F
              SHA1:B403937ABF171D7B76725FBDC003872D45C67502
              SHA-256:4FC37EF78A0B1F816556CF10A9942939832F72EF321F24B6BAF0152EDEB45D48
              SHA-512:55EFF618F7B54BEB965B7BFCC615351D00D9988504E9166E371EC9FDA7F4D9A9B305D2CC01EA2E9D4D70888403AF1AD5833DDB9DEA31DF8B5A6AD97E5032DCD6
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Mnd\wextract.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):143872
              Entropy (8bit):6.942627183104786
              Encrypted:false
              SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
              MD5:ED93B350C8EEFC442758A00BC3EEDE2D
              SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
              SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
              SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Nom\WTSAPI32.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5662350439042503
              Encrypted:false
              SSDEEP:12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:6AABBD46074D1F4BA508D5F48258EEEF
              SHA1:0D326013154DD896F67F2808340896E6B886DEE6
              SHA-256:CFD9A093AB4005696F5B11CD2599CED5A3DBC69F30E704BD5136B4B500FD140F
              SHA-512:0B975F80B2D713F97E5344B8702F888F97511967C93C9487E286A40B228AD0DF293094E0E2CB5D5FB1E7D5223BF15F919D86B6D689CFFF52B25646CCAA9EC629
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\Nom\mblctr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):799744
              Entropy (8bit):6.62164167843942
              Encrypted:false
              SSDEEP:12288:y9Pyqz1mcI6upViTf8+RrhGi51qviizQBODAKylkm5ZUxXrc5Zh5ZG5Ze:yHz1m9dpVQRhL5kRzAKcjY8poA
              MD5:0CE1C2D873D151A19FB993139D19E68B
              SHA1:269BDAE3FBF1BE67FCC779720EF5C647AF98DC16
              SHA-256:DCDE80BC80BAD4FCEA64567B14C23595C407705E94EC2D1D39C8944039292904
              SHA-512:93D0ACC3C24D8E9388B7428320F4D16624E276B912914AF3D0ECBEC720491E546A619D000DF41C53DBB37F84B4CB1DF11C291908B05086BB49916E7F2BF90891
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;.4.Zag.Zag.Zag.".g.Zag.>bf.Zag.>ef.Zag.>df.Zag.>`f.Zag.Z`g.[ag.>hf.Zag.>.g.Zag.>cf.ZagRich.Zag........................PE..d....7>.........."..........t.................@....................................%o....`.......... .......................................S..p............................p...... 0..T............................................................................text...Q........................... ..`.rdata..>...........................@..@.data................l..............@....pdata...............x..............@..@.rsrc...............................@..@.reloc.......p.......0..............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\O8JNmHZW\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.55979090810396
              Encrypted:false
              SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:17E3E019DB12FE19F8993A2A664B0AF1
              SHA1:8436E71B27FF8EAF67D07D4F9BECB8175253F604
              SHA-256:54F90A3391C70E1C1D51E347C3BBFFD8146814C3B9098DCE738680F1CFFFB1CD
              SHA-512:D86F9AC95D1326CED1F9C43F5008BB121A52515C8BB503181634CDA3A961DDE3103CCA5FC78BB7C8561DF18F5C3CAEE3D13152E87DD673E8FCC8A0EAC7F6741A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\O8JNmHZW\cmstp.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):92672
              Entropy (8bit):5.749238064237604
              Encrypted:false
              SSDEEP:1536:7oIXq0f2yF9sDb/RjxgnvkmVUqAVnKUMjbWg+I/87BM/Z4j8Qi1Yv9V:0Izw/RooolWIk7BM/ZNQi1EV
              MD5:2A9828E0C405422D166E0141054A04B3
              SHA1:84AA48946D4F9A9DFE4C1AF6F96C44B643229A73
              SHA-256:94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F
              SHA-512:B9B0472706C11D3AECDAB055D4CF319EDD50E8C97B7099D1DC7B768812E804975392E327A1E62301077AB92C1CA97E706628B07172892AB09753FBDD9A07277D
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....X...X...X...Y...X...Y...X...Y...X...Y...X...XQ..X...Y...X...X...X...Y...XRich...X................PE..d....mg..........."............................@..........................................`.......... .......................................M...............p..................X....B..T...............................................H............................text............................... ..`.rdata.."l.......n..................@..@.data........`.......R..............@....pdata.......p.......T..............@..@.rsrc................Z..............@..@.reloc..X............h..............@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):930304
              Entropy (8bit):5.99262413442194
              Encrypted:false
              SSDEEP:12288:YVpcWBIX7oU/HEx5a/DTROFJTl7XjY5uUMUd1vLf1k+xt4vFe:spnBUoR5AfREllTjY5umjz1ivFe
              MD5:CD6ACF3B997099B6CFB2417D3942F755
              SHA1:7376A8000CB7B5CE0F5DA783BAF9F9C2C36F1670
              SHA-256:B699695F47AA8E8B70A21267BA1648B59B33BD677E29D334BC73EBB1A4B81F3E
              SHA-512:F301F0D87CB5FFFFB88AB0B86035DA7705DED1121107D2FDF7A9132F8DFBDEFFAFBE452E3BC7ACEAD1A0E368815127942B2E642B214EA83D90E97B015C766DE0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OR...3.,.3.,.3.,dW.-.3.,dW.-.3.,dW.-.3.,dW.-$3.,.3.,o7.,dW.-q3.,dW.,.3.,dW.-.3.,Rich.3.,................PE..d...d.D..........."..................F.........@..........................................`.......... .......................................`.......0...%......@A...........`..D ..`@..T....................Y..(... ................Y..8... W.......................text...2........................... ..`.rdata..............................@..@.data..../....... ..................@....pdata..@A.......B..................@..@.didat....... ......................@....rsrc....%...0...&..................@..@.reloc..D ...`..."..................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\QEkvVts\WINMM.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.568769494855891
              Encrypted:false
              SSDEEP:12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:852F5FE3F15F82DBD91A3A5FFE27C781
              SHA1:E6E7BE15DE046D247F7FCBAF62825E9DD0E93390
              SHA-256:85AAB65BC8DC5D02ACF566A14555F5544EE15550506660CCD240DA786AAB04F3
              SHA-512:C69C2777FDC4E94F549D0E686B77A1D6F9F18664E6ED8A58D478D7299CF88A99A831D2209F054A4555F84CBAF6E796656F3C04AD26650E3862DCB64AEABF0C70
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .h....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\SB1jY1h\AtBroker.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):62976
              Entropy (8bit):5.750635515620841
              Encrypted:false
              SSDEEP:768:LqMH7HUyeCtu1URDrYxfxyLzkd0S2B3ZEI1yfdc9X1vV09SOI9HiEiOpF1QtNcEd:L3RtZkNxCk61BW6901I9HDF1QH8ST
              MD5:E2C775244B3951A401A9083DD742029A
              SHA1:B4DC87649038B7A4E86B5D6AEBAAD975ECE2F477
              SHA-256:80CC3FB17D8CBB4A68F27C607A8D1C0208CEE892F6D2A2E222E18B23D4E0FC76
              SHA-512:CCFABD50BF7F1F9D2DBF3D0F7FFC5A9C862F623472F9AE51A2F4EDB88EF06BCE23731A925405ACF5BF4BB466EA862413EA01B23177C710CA5FE97EA97E6B832C
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5`..q.b.q.b.q.b..ea.r.b..ef.d.b..eg.y.b..ec.b.b.q.c...b..ek.~.b..e..p.b..e`.p.b.Richq.b.........PE..d...=..~.........."..........d.................@.............................@............`.......... ............................................... ..8....................0......p...T...........................p...............p...@............................text.............................. ..`.rdata..8B.......D..................@..@.data...............................@....pdata..............................@..@.rsrc...8.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\SB1jY1h\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5684926622805717
              Encrypted:false
              SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:158C1DF1885FC864E485F6ACE03E43AA
              SHA1:874621AD6CC12CA767A8693033BBEA1EEDEE25C1
              SHA-256:0CDC4C9C52D67E9FAB9EBDC2C39F0D1D1D1042776B2CAA9C5AF3833817526427
              SHA-512:CF090C69481BF910DF5EF588B6AE59BB75479083EFD37113EFFCAEEB5E4576390E04F2C5D758599090C7A51C7FF87DCDE40B7FDFC97B83486F8DDCACA53FC9F9
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\T6Vn91tw0\SLC.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5626898520741004
              Encrypted:false
              SSDEEP:12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1l1:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnbl1
              MD5:9B62B394C76C05624097101E4F503CF9
              SHA1:82B5529C75A10E3DFF42DB4B241071ACECDCB071
              SHA-256:D606489B4DD836A90E668FB799E13EC617BA7F12CE5EED969E6B887AF1551B47
              SHA-512:231E2B9A2C9CD9EE4C8BEA451214745CD050D0FBA355254BBFBDC1700C18BE156A09EDD9A55353F9F861DD1F960F295E17170CCA07112D7396940D03638B762E
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .3....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\T6Vn91tw0\slui.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):445952
              Entropy (8bit):6.661655128700218
              Encrypted:false
              SSDEEP:6144:q++gR8ZWU7WZ1rpvJw1DouE71kL3qY/W5R02qO7VKCyWQp:MgzKWZ1VJwEmDq3nyR
              MD5:96A8EF9387619D17BB30B024DDF52BF3
              SHA1:02DFA07143911500925C6298864477296F414AB0
              SHA-256:ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A
              SHA-512:01701BCFB3D3F09DF86CAF75ED76DC82A4B1480A284AB68FB4B7E4941466DB1ED23187B4D2E51B63C7526123EB4647FB5D155F31832E9ED7F4DBADF78F1F94EA
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.rMn.rMn.rMg..Mr.rM..qLm.rM..vLx.rM..wLj.rM..sL{.rMn.sM..rM..|Lv.rM...Mo.rM..pLo.rMRichn.rM........................PE..d...O.h{.........."..........0.................@............................. ............`.......... .......................................-...............`..........................T.......................(....................................................text...&........................... ..`.rdata..............................@..@.data........P.......*..............@....pdata.......`.......0..............@..@.rsrc................J..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\byYs\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2404352
              Entropy (8bit):4.0941855774712055
              Encrypted:false
              SSDEEP:12288:jVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ19Z:yfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:27B08379E48FF2EA436796B3BA872FB3
              SHA1:7F0271B8E7D0C7004998024591713132F9C7F449
              SHA-256:0A5AC48F07DD100A1BF602A1D8B0FD6ED3B31315BCD6CED03FA7A9A8B55C5551
              SHA-512:41D34A6B0BD2F36365D0C71D5E8D35C83AA55F3C3D82EACE7C2898CC69665C13AE998FD72BACFC8747D1309B4B10DE90323D084D38ED4C64AB511C3797BB8ABE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .......... .....p..........@..............................$.....@lx}..b..........................................P .dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\byYs\wlrmdr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):65704
              Entropy (8bit):5.834154867756865
              Encrypted:false
              SSDEEP:1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
              MD5:4849E997AF1274DD145672A2F9BC0827
              SHA1:D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
              SHA-256:B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
              SHA-512:FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\gxzS7\credui.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5615439297314184
              Encrypted:false
              SSDEEP:12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:D8BF7ED579BFB7A50E4A529F70CF3992
              SHA1:AFD198A7352054DF47F147F47ED0CC2F136284FD
              SHA-256:CC7BF835073F601CE20178DE8B86547E4D481735D22E35AB94FF7A18B24B3262
              SHA-512:8530CFD8BDBC0B1B20EAA392A1977FCC5F3F12E022570287612CA4BE2AE6622B8B236D460EF5420ABF115AEAC237BBFFF7453337DF9E5DDFFAB13085AA83F345
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\gxzS7\perfmon.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):175616
              Entropy (8bit):6.895507339523819
              Encrypted:false
              SSDEEP:3072:uVt2h5auVI9cMHFO+ZyGghtYIo9piswTogiqQKy349:uVMzVIOMHFhyhqIo9s37iTK24
              MD5:BD9ABDEA680B56534CE7627E39270A7C
              SHA1:24FCF3E615F5E7F434244D90AE5C4EB90F7C5EB5
              SHA-256:EB9FF0CDA3E15147BB0FE00984B75C5F7B04644957CCAC135996AC18C1FD3EED
              SHA-512:CEFA87534CB62E705EEE00CE5FA7C73083562A6B97E5D9D0106A3BCB3499A1F7FE997376DB22F73BB4F19DA66E6CE65FE85E2DF1FD06051CC19C006B59082427
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H....f..f..f.c...f.c...f.c...f.c...f..f..f.c...f.c. ..f.c...f.Rich.f.........PE..d.....i6.........."..........$......P..........@.....................................9....`.......... ......................................D........@......0......................p...T...........................`...............`................................text............................... ..`.rdata..:x.......z..................@..@.data........ ......................@....pdata.......0......................@..@.rsrc.......@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\h1G\ACTIVEDS.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5609838856348315
              Encrypted:false
              SSDEEP:12288:nVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:OfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:B5AADBED0CF9FCBC4DF667183EBCF3CC
              SHA1:BE5445DE7B7CFC449DB9EE4AA01B4EF85EC46F6C
              SHA-256:0EDAE1B408B6ABCDF430CED04BE928D26B007F50BF8AD0DA8D2D95F029682CA4
              SHA-512:9828D153CEC7FF5F61EEF3E480196854170EE8101FEDC14DC63517578601DCCB7C83627F7843A6FC57CA4DEF4D46A43FF899DB3379E43272828F1B3DFBC91704
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\h1G\AgentService.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1189376
              Entropy (8bit):6.169931271903684
              Encrypted:false
              SSDEEP:24576:+pL4Q4y94x7ZWe6b1B5I2M62kM0s1vt2txc/viVO1IORNfLc:uL4Q3S9b6b1UA9MPwOR5c
              MD5:F7E36C20DB953DFF4FDDB817904C0E48
              SHA1:8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5
              SHA-256:2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
              SHA-512:32333A33DECD1AF0915FFDC48DA99831DA345010A91630C5245F2548939E33157F6151F596C09D0BEEAC3F15F08F79D4EEF4FAA4158BA023DEDFC4F6F6F56DF8
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:K..[%M.[%M.[%M.?&L.[%M.? L.[%M.?!L.[%M.?$L.[%M.[$M.Z%M.?,L.[%M.?.M.[%M.?'L.[%MRich.[%M........................PE..d...m.>l.........."..........B.................@.....................................=....`.......... ...............................................P.. ........x...........`..`...p-..T...................pI..(...pH...............I...............................text...L........................... ..`.rdata..| ......."..................@..@.data...@....@...r..."..............@....pdata...x.......z..................@..@.rsrc... ....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\iU8z5\wer.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2125824
              Entropy (8bit):3.5692811602312817
              Encrypted:false
              SSDEEP:12288:1VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:sfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0F2F06886BBAF597A92F52E906C4CE03
              SHA1:CFDCD31E7AE917F24C94DAFD832E2AABC846AE15
              SHA-256:DBF19D0AF4D465C1C986B3CAD125C54A3204DF84007D1104F583035F8B622B46
              SHA-512:2226AF343434512F1DFA11910678A3E99EC3A0F022D43CD3FE8C4AED85834FBCA8C16F28E547FE7F014056B6F84A16489A84752259AEB3AC7185F3DA44F5E8DB
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........P......p..........@.............................p .....@lx}..b..........................................P .W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\iU8z5\wermgr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):209312
              Entropy (8bit):6.796289498157116
              Encrypted:false
              SSDEEP:6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
              MD5:FF214585BF10206E21EA8EBA202FACFD
              SHA1:1ED4AE92D235497F62610078D51105C4634AFADE
              SHA-256:C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
              SHA-512:24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................
              C:\Users\user\AppData\Local\kOjpxXR\SnippingTool.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):3292160
              Entropy (8bit):4.311007815185121
              Encrypted:false
              SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
              MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
              SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
              SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
              SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\kOjpxXR\dwmapi.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.564430230982269
              Encrypted:false
              SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:1DF68F7322A2C246D8E8E030719ABADD
              SHA1:25A86D132BFC21D4890018962C3578365E8C0757
              SHA-256:AED0A6E8AC8AB86A2EB2888077512E0615DCF2820C45464A227384E7B02A735A
              SHA-512:247971E464A8F5939FC1C9478A8E3F44D6218503E0E4187CC630727C6D7BF546151429EBD627573C5FB39F4F924FDABA1719633EE23B4540B4B42EB4D60CE72F
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\kkXbTNX3S\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5597998659110672
              Encrypted:false
              SSDEEP:12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:EA53E60CCD953EACD6E4EC1A093544CF
              SHA1:3DFF3F21F3A31769BB487A8F34207F629CC6F2A9
              SHA-256:6224FA0A9E564D0859E1D6951AAD9B2E5CC0BFA867E10085F9FF669424E54D94
              SHA-512:D8E91C06007B40F244EA5E27692362964056501EA78CDAE2120A0E232716DC4EDA850766218FE6B8DACADBCC3748C11DAB790EC996C99D32279F6D22B71809C9
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\kkXbTNX3S\wscript.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):163840
              Entropy (8bit):5.729539450068024
              Encrypted:false
              SSDEEP:1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
              MD5:9A68ADD12EB50DDE7586782C3EB9FF9C
              SHA1:2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
              SHA-256:62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
              SHA-512:156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\ySbBY3WaF\SndVol.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):259904
              Entropy (8bit):5.955701055747905
              Encrypted:false
              SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
              MD5:CDD7C7DF2D0859AC3F4088423D11BD08
              SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
              SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
              SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................
              C:\Users\user\AppData\Local\ySbBY3WaF\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2121728
              Entropy (8bit):3.5685074321676984
              Encrypted:false
              SSDEEP:12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:268ECB8D07BC2F31469FF3C825FCAF4C
              SHA1:ECCC90BBF20D68C77BAD0C39E75F6467FE1EC101
              SHA-256:C337124A0D68D9356040E1F5C514934208901DE875459FA463C232F306FB16C2
              SHA-512:8603B6E4DEA1B0C56D9C8A4AA943B0696723063F495DB74E6D4FF8C85FCBFD4D71DE885520523F935391B2AACE4E86FEB2D3BB4CCCA78054EB4B7870D9A40CE0
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.+..DN^.........." .........@......p..........@.............................` .....@lx}..b..........................................P ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Windows\explorer.exe
              File Type:data
              Category:dropped
              Size (bytes):4462
              Entropy (8bit):5.480575242471079
              Encrypted:false
              SSDEEP:96:edCYIIR00Oj1NZ7BuyPvYVQx6dCYiLaefYWtGzOY6GzD:eIInC1Nn2JuJQWYzZ6G/
              MD5:D94FDB48B116A14A2F2563F7E1AA8183
              SHA1:44E8DD08F074C105FD001FEFF961C42E4BCDB7F6
              SHA-256:0AC6FF1517064A3976B4B1951CA95A302C7FDE49080C5DB4C8DC278C444DC7B1
              SHA-512:96A4F43372E69D652FC7F776D65EC598B19699923C4E2F12076690104B40CADFAB2CC4FF297E11BA63D4F78FA5A4FB35EE037DC27E538DA75AE75265E95DAE4A
              Malicious:false
              Reputation:unknown
              Preview: ........................................user.........................................user.....................RSA1.....................W$s66.o.4......wK8tY...l...'..}q...?.9..vFr...7x..0..[b.(..J...x...iM:.A}.Z...5nM{.......[....z..'.3}{..<."......!X......................z..O.......F.M.6.K./.v.......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....z9o$au.7..aF&..h. ..l\..[&Y.aM............ ...8....PB......(.]..E.vh..u...........=...M..rs.C....1./iw.}.!i[|.k?..C.p...2.Q..._....-.......-.W..tW.a.(&.T.......dJ...{KE.C.....KU.bqO../t..a/=.^.PRgsG,.c.I........?.7z..e..U..uE0(K._.:Q.P....KZ..7..z<...7.%g.c.v..T.f...[.....5..g...33...?..JC-.;d..N<.E..,..........0.^.Qa:I.........7s.&..P...O.t.=.!....~...+l..e..>..<J...~.d...1b..b...m..4!..h...ZKr..J....`z..c..%.DB..s...M.....@....4..y.........r...f.......M.7t..n.!$".%... ..-..9.....'....8.j.-f....n.0.....VN...|...>2.........{...4...{.....rVL.,q..KA................/)...T.t...V.t_..o.1.

              Static File Info

              General

              File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Entropy (8bit):3.5792852577015357
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:X5C9EzCB7A.dll
              File size:2117632
              MD5:dc4fca98a02c5cc7ee5f565c56915c86
              SHA1:4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
              SHA256:ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
              SHA512:4954ed3d7ac9fcca73623f1d24a8aaa4ca88727a58a45382e897966311909d0c8d43d709d828e0d3211f6c478ee1ca2bf5970c476c5485a949f5cfbf033e9875
              SSDEEP:12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x140041070
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:6668be91e2c948b183827f040944057f

              Entrypoint Preview

              Instruction
              dec eax
              xor eax, eax
              dec eax
              add eax, 5Ah
              dec eax
              mov dword ptr [00073D82h], ecx
              dec eax
              lea ecx, dword ptr [FFFFECABh]
              dec eax
              mov dword ptr [00073D7Ch], edx
              dec eax
              add eax, ecx
              dec esp
              mov dword ptr [00073D92h], ecx
              dec esp
              mov dword ptr [00073DA3h], ebp
              dec esp
              mov dword ptr [00073D7Ch], eax
              dec esp
              mov dword ptr [00073D85h], edi
              dec esp
              mov dword ptr [00073D86h], esi
              dec esp
              mov dword ptr [00073D8Fh], esp
              dec eax
              mov ecx, eax
              dec eax
              sub ecx, 5Ah
              dec eax
              mov dword ptr [00073D89h], esi
              dec eax
              test eax, eax
              je 00007FFA40DD635Fh
              dec eax
              mov dword ptr [00073D45h], esp
              dec eax
              mov dword ptr [00073D36h], ebp
              dec eax
              mov dword ptr [00073D7Fh], ebx
              dec eax
              mov dword ptr [00073D70h], edi
              dec eax
              test eax, eax
              je 00007FFA40DD633Eh
              jmp ecx
              dec eax
              add edi, ecx
              dec eax
              mov dword ptr [FFFFEC37h], ecx
              dec eax
              xor ecx, eax
              jmp ecx
              retn 0008h
              ud2
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebx
              dec eax
              sub esp, 00000080h
              mov eax, F957B016h
              mov byte ptr [esp+7Fh], 00000037h
              mov edx, dword ptr [esp+78h]
              inc ecx
              mov eax, edx
              inc ecx
              or eax, 5D262B0Ch
              inc esp
              mov dword ptr [esp+78h], eax
              dec eax
              mov dword ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [LNK] VS2012 UPD4 build 61030
              • [ASM] VS2013 UPD2 build 30501
              • [ C ] VS2012 UPD2 build 60315
              • [C++] VS2013 UPD4 build 31101
              • [RES] VS2012 UPD3 build 60610
              • [LNK] VS2017 v15.5.4 build 25834
              • [ C ] VS2017 v15.5.4 build 25834
              • [ASM] VS2010 build 30319
              • [EXP] VS2015 UPD1 build 23506
              • [IMP] VS2008 SP1 build 30729
              • [RES] VS2012 UPD4 build 61030
              • [LNK] VS2012 UPD2 build 60315
              • [C++] VS2015 UPD1 build 23506
              • [ C ] VS2013 UPD4 build 31101

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x2030100x1114.oima
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x420000x64fd00x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .pjf0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .favk0x1600000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vhtukj0x1610000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hmbyox0x1a70000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .txms0x1a80000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vqqm0x1a90000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cbwb0x1aa0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cti0x1ab0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ktfjac0x1ac0000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hvmici0x1ad0000xbe90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bvyyd0x1ae0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qhjn0x1af0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bsvkca0x1b00000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .nvpgx0x1b10000x2a20x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .yaa0x1b20000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qsimby0x1b30000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dibg0x1b50000x451c20x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .odxfk0x1fb0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .zczpdd0x1fd0000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .iceycz0x1fe0000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .lwp0x1ff0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ejt0x2000000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gzpi0x2010000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .oima0x2030000x11240x2000False0.276733398438data3.64280372921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xc00a00x370dataEnglishUnited States
              RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
              SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
              KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
              GDI32.dllCreateBitmapIndirect, GetPolyFillMode
              CRYPT32.dllCertGetCTLContextProperty
              ADVAPI32.dllAddAccessDeniedObjectAce
              SHLWAPI.dllChrCmpIW

              Exports

              NameOrdinalAddress
              AddGadgetMessageHandler70x14000bdcc
              AddLayeredRef80x14003a050
              AdjustClipInsideRef90x1400150cc
              AttachWndProcA100x14001b9a0
              AttachWndProcW110x14002db5c
              AutoTrace120x14002def0
              BeginHideInputPaneAnimation130x140020224
              BeginShowInputPaneAnimation140x140030b24
              BuildAnimation150x140028b2c
              BuildDropTarget160x140018814
              BuildInterpolation170x14000bd0c
              CacheDWriteRenderTarget180x140035b0c
              ChangeCurrentAnimationScenario190x14003c0c0
              ClearPushedOpacitiesFromGadgetTree200x14003c548
              ClearTopmostVisual210x14003cb58
              CreateAction220x14000ce18
              CreateGadget230x14001c7ac
              CustomGadgetHitTestQuery240x1400148c0
              DUserBuildGadget250x14001649c
              DUserCastClass260x14000e8a4
              DUserCastDirect270x1400114e0
              DUserCastHandle10x14000d1e0
              DUserDeleteGadget20x14002600c
              DUserFindClass280x14003c230
              DUserFlushDeferredMessages290x140038828
              DUserFlushMessages300x140036320
              DUserGetAlphaPRID310x140012a78
              DUserGetGutsData320x14003ef0c
              DUserGetRectPRID330x14002a4a0
              DUserGetRotatePRID340x14000f354
              DUserGetScalePRID350x1400113f0
              DUserInstanceOf360x140016060
              DUserPostEvent370x14002d4d8
              DUserPostMethod380x140013604
              DUserRegisterGuts390x140017e6c
              DUserRegisterStub400x1400393f8
              DUserRegisterSuper410x140012424
              DUserSendEvent420x1400341ec
              DUserSendMethod430x140022048
              DUserStopAnimation440x140001d04
              DUserStopPVLAnimation450x14003383c
              DeleteHandle460x14002faf8
              DestroyPendingDCVisuals470x14000a69c
              DetachGadgetVisuals480x1400102b8
              DetachWndProc490x14003c68c
              DisableContainerHwnd500x14001ab64
              DllMain510x140026d1c
              DrawGadgetTree520x140026ca4
              EndInputPaneAnimation530x14003e2bc
              EnsureAnimationsEnabled540x14003328c
              EnsureGadgetTransInitialized550x140041464
              EnumGadgets560x140035a0c
              FindGadgetFromPoint570x14002a254
              FindGadgetMessages580x14002e8cc
              FindGadgetTargetingInfo590x140025ce0
              FindStdColor600x14001760c
              FireGadgetMessages610x140014558
              ForwardGadgetMessage620x14003d298
              FreeGdiDxInteropStagingBuffer630x140014ef0
              GadgetTransCompositionChanged640x140032fbc
              GadgetTransSettingChanged650x140022ff0
              GetActionTimeslice660x140020ec4
              GetCachedDWriteRenderTarget670x1400035a0
              GetDUserModule680x140035e80
              GetDebug690x14003bed8
              GetFinalAnimatingPosition700x140028f84
              GetGadget710x14000f1b4
              GetGadgetAnimation720x140013578
              GetGadgetBitmap730x14003e63c
              GetGadgetBufferInfo740x14002b868
              GetGadgetCenterPoint750x14000d354
              GetGadgetFlags760x140026d18
              GetGadgetFocus770x14003130c
              GetGadgetLayerInfo780x1400123dc
              GetGadgetMessageFilter790x140010c00
              GetGadgetProperty800x140001bb0
              GetGadgetRect810x14002abb0
              GetGadgetRgn820x140007db8
              GetGadgetRootInfo830x140007810
              GetGadgetRotation840x14002a580
              GetGadgetScale850x140026790
              GetGadgetSize860x14003dabc
              GetGadgetStyle870x140038dc8
              GetGadgetTicket880x14000180c
              GetGadgetVisual890x14003f2ac
              GetMessageExA900x14002160c
              GetMessageExW910x14001d044
              GetStdColorBrushF30x14003e094
              GetStdColorBrushI920x14000efa8
              GetStdColorF40x1400096a8
              GetStdColorI930x14003a788
              GetStdColorName940x14002fd6c
              GetStdColorPenF50x1400408c8
              GetStdColorPenI950x140028664
              GetStdPalette960x1400303a8
              InitGadgetComponent970x140013910
              InitGadgets980x1400083b0
              InvalidateGadget990x14001b734
              InvalidateLayeredDescendants1000x140007738
              IsGadgetParentChainStyle1010x140017ee4
              IsInsideContext1020x1400231e8
              IsStartDelete1030x140026534
              LookupGadgetTicket1040x140039534
              MapGadgetPoints1050x140025ff8
              PeekMessageExA1060x140023ce0
              PeekMessageExW1070x1400063e8
              RegisterGadgetMessage1080x14003b26c
              RegisterGadgetMessageString1090x14002c864
              RegisterGadgetProperty1100x140039a60
              ReleaseDetachedObjects1110x14000ba5c
              ReleaseLayeredRef1120x140006a50
              ReleaseMouseCapture1130x1400238e4
              RemoveClippingImmunityFromVisual1140x140027aac
              RemoveGadgetMessageHandler1150x14003fa54
              RemoveGadgetProperty1160x14003f98c
              ResetDUserDevice1170x140007600
              ScheduleGadgetTransitions1180x140037634
              SetActionTimeslice1190x14003715c
              SetAtlasingHints1200x14002a6ec
              SetGadgetBufferInfo1210x140020594
              SetGadgetCenterPoint1220x1400112a8
              SetGadgetFillF1230x14003d270
              SetGadgetFillI1240x140022b50
              SetGadgetFlags1250x14001aa28
              SetGadgetFocus1260x1400412dc
              SetGadgetFocusEx1270x14003a8f4
              SetGadgetLayerInfo1280x14003469c
              SetGadgetMessageFilter1290x14000f13c
              SetGadgetOrder1300x140032d64
              SetGadgetParent1310x140029294
              SetGadgetProperty1320x14001bd70
              SetGadgetRect1330x140036d74
              SetGadgetRootInfo1340x140038f9c
              SetGadgetRotation1350x14000c780
              SetGadgetScale1360x140025684
              SetGadgetStyle1370x140001b58
              SetHardwareDeviceUsage1380x14003250c
              SetMinimumDCompVersion1390x1400240e0
              SetRestoreCachedLayeredRefFlag1400x140023884
              SetTransitionVisualProperties1410x1400365a0
              SetWindowResizeFlag1420x1400134cc
              UnregisterGadgetMessage1430x14003da10
              UnregisterGadgetMessageString1440x14000d0a4
              UnregisterGadgetProperty1450x140037bbc
              UtilBuildFont1460x140035e44
              UtilDrawBlendRect1470x14000a4a4
              UtilDrawOutlineRect60x14001870c
              UtilGetColor1480x140032964
              UtilSetBackground1490x140018510
              WaitMessageEx1500x14000e5d8

              Version Infos

              DescriptionData
              LegalCopyright Microsoft Corporation. All rights reserv
              InternalNamebitsp
              FileVersion7.5.7600.16385 (win7_rtm.090713-
              CompanyNameMicrosoft Corporati
              ProductNameMicrosoft Windows Operating S
              ProductVersion6.1.7600
              FileDescriptionBackground Intellig
              OriginalFilenamekbdy
              Translation0x0409 0x04b0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 28, 2021 10:49:57.479717970 CEST5856253192.168.2.78.8.8.8
              Sep 28, 2021 10:49:57.527818918 CEST53585628.8.8.8192.168.2.7
              Sep 28, 2021 10:50:13.801300049 CEST5659053192.168.2.78.8.8.8
              Sep 28, 2021 10:50:13.832154989 CEST53565908.8.8.8192.168.2.7
              Sep 28, 2021 10:50:34.879651070 CEST6050153192.168.2.78.8.8.8
              Sep 28, 2021 10:50:34.899374008 CEST53605018.8.8.8192.168.2.7
              Sep 28, 2021 10:50:46.130552053 CEST5377553192.168.2.78.8.8.8
              Sep 28, 2021 10:50:46.175204992 CEST53537758.8.8.8192.168.2.7
              Sep 28, 2021 10:50:46.840352058 CEST5183753192.168.2.78.8.8.8
              Sep 28, 2021 10:50:46.862692118 CEST53518378.8.8.8192.168.2.7
              Sep 28, 2021 10:50:47.462280989 CEST5541153192.168.2.78.8.8.8
              Sep 28, 2021 10:50:47.486260891 CEST53554118.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.096184015 CEST6366853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.152357101 CEST53636688.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.421366930 CEST5464053192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.447293997 CEST53546408.8.8.8192.168.2.7
              Sep 28, 2021 10:50:48.610698938 CEST5873953192.168.2.78.8.8.8
              Sep 28, 2021 10:50:48.628649950 CEST53587398.8.8.8192.168.2.7
              Sep 28, 2021 10:50:49.459156990 CEST6033853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:49.479715109 CEST53603388.8.8.8192.168.2.7
              Sep 28, 2021 10:50:49.957967043 CEST5871753192.168.2.78.8.8.8
              Sep 28, 2021 10:50:50.001194954 CEST53587178.8.8.8192.168.2.7
              Sep 28, 2021 10:50:51.216317892 CEST5976253192.168.2.78.8.8.8
              Sep 28, 2021 10:50:51.235332966 CEST53597628.8.8.8192.168.2.7
              Sep 28, 2021 10:50:54.485519886 CEST5432953192.168.2.78.8.8.8
              Sep 28, 2021 10:50:54.510246992 CEST53543298.8.8.8192.168.2.7
              Sep 28, 2021 10:50:54.971585989 CEST5805253192.168.2.78.8.8.8
              Sep 28, 2021 10:50:55.018073082 CEST53580528.8.8.8192.168.2.7
              Sep 28, 2021 10:50:56.568748951 CEST5400853192.168.2.78.8.8.8
              Sep 28, 2021 10:50:56.612859011 CEST53540088.8.8.8192.168.2.7
              Sep 28, 2021 10:51:01.711642981 CEST5945153192.168.2.78.8.8.8
              Sep 28, 2021 10:51:01.734843016 CEST53594518.8.8.8192.168.2.7
              Sep 28, 2021 10:51:35.266832113 CEST5291453192.168.2.78.8.8.8
              Sep 28, 2021 10:51:35.293589115 CEST53529148.8.8.8192.168.2.7
              Sep 28, 2021 10:51:36.747045994 CEST6456953192.168.2.78.8.8.8
              Sep 28, 2021 10:51:36.774502039 CEST53645698.8.8.8192.168.2.7
              Sep 28, 2021 10:51:37.906775951 CEST5281653192.168.2.78.8.8.8
              Sep 28, 2021 10:51:37.941770077 CEST53528168.8.8.8192.168.2.7

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: loaddll64.exe PID: 2368 Parent PID: 4164

              General

              Start time:10:49:47
              Start date:28/09/2021
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll'
              Imagebase:0x7ff7f9830000
              File size:140288 bytes
              MD5 hash:A84133CCB118CF35D49A423CD836D0EF
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.452046176.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: cmd.exe PID: 5760 Parent PID: 2368

              General

              Start time:10:49:47
              Start date:28/09/2021
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
              Imagebase:0x7ff7bf140000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 2192 Parent PID: 2368

              General

              Start time:10:49:48
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddGadgetMessageHandler
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.341553991.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 5356 Parent PID: 5760

              General

              Start time:10:49:48
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe 'C:\Users\user\Desktop\X5C9EzCB7A.dll',#1
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.249682229.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: explorer.exe PID: 3292 Parent PID: 2192

              General

              Start time:10:49:49
              Start date:28/09/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff662bf0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 1596 Parent PID: 2368

              General

              Start time:10:49:51
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AddLayeredRef
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.256116400.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 2840 Parent PID: 2368

              General

              Start time:10:49:54
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AdjustClipInsideRef
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.263669758.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 4156 Parent PID: 2368

              General

              Start time:10:49:58
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcA
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.270725525.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 2888 Parent PID: 2368

              General

              Start time:10:50:01
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AttachWndProcW
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.279755934.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 2916 Parent PID: 2368

              General

              Start time:10:50:05
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,AutoTrace
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.287591369.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 1064 Parent PID: 2368

              General

              Start time:10:50:09
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginHideInputPaneAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.294331565.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6288 Parent PID: 2368

              General

              Start time:10:50:12
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BeginShowInputPaneAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.302760143.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6360 Parent PID: 2368

              General

              Start time:10:50:16
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildAnimation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.310372882.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6388 Parent PID: 2368

              General

              Start time:10:50:19
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildDropTarget
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.317261849.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6404 Parent PID: 2368

              General

              Start time:10:50:23
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,BuildInterpolation
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.324869275.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6428 Parent PID: 2368

              General

              Start time:10:50:26
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CacheDWriteRenderTarget
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.332178412.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6484 Parent PID: 2368

              General

              Start time:10:50:30
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ChangeCurrentAnimationScenario
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.339544401.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6524 Parent PID: 2368

              General

              Start time:10:50:33
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearPushedOpacitiesFromGadgetTree
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.399487635.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: wermgr.exe PID: 6572 Parent PID: 3292

              General

              Start time:10:50:34
              Start date:28/09/2021
              Path:C:\Windows\System32\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wermgr.exe
              Imagebase:0x7ff6251d0000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: wermgr.exe PID: 6600 Parent PID: 3292

              General

              Start time:10:50:36
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\M5A\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\M5A\wermgr.exe
              Imagebase:0x7ff740970000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.353298117.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6620 Parent PID: 2368

              General

              Start time:10:50:37
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,ClearTopmostVisual
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.357738953.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: WFS.exe PID: 6640 Parent PID: 3292

              General

              Start time:10:50:39
              Start date:28/09/2021
              Path:C:\Windows\System32\WFS.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WFS.exe
              Imagebase:0x7ff7eb8a0000
              File size:930304 bytes
              MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: WFS.exe PID: 6652 Parent PID: 3292

              General

              Start time:10:50:40
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\QEkvVts\WFS.exe
              Imagebase:0x7ff7d5c70000
              File size:930304 bytes
              MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.363607406.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: rundll32.exe PID: 6752 Parent PID: 2368

              General

              Start time:10:50:41
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\X5C9EzCB7A.dll,CreateAction
              Imagebase:0x7ff7f1330000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.367587367.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: wusa.exe PID: 6888 Parent PID: 3292

              General

              Start time:10:50:43
              Start date:28/09/2021
              Path:C:\Windows\System32\wusa.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wusa.exe
              Imagebase:0x7ff6bc1b0000
              File size:308736 bytes
              MD5 hash:04CE745559916B99248F266BBF5F9ED9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: wusa.exe PID: 6912 Parent PID: 3292

              General

              Start time:10:50:44
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\8FwY\wusa.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\8FwY\wusa.exe
              Imagebase:0x7ff6ee1f0000
              File size:308736 bytes
              MD5 hash:04CE745559916B99248F266BBF5F9ED9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.370038497.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Disassembly

              Code Analysis

              Reset < >