Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report P7n0h6OhYp

Overview

General Information

Sample Name:P7n0h6OhYp (renamed file extension from none to dll)
Analysis ID:492431
MD5:718a7d9b1fe55a72cfa586e869236df8
SHA1:5d870aeb7951ab6af0900ba837924f79e3716936
SHA256:d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
PE file contains more sections than normal
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to create restore points
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5036 cmdline: loaddll64.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 644 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5044 cmdline: rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3240 cmdline: rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RdpSa.exe (PID: 716 cmdline: C:\Windows\system32\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)
        • RdpSa.exe (PID: 2564 cmdline: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)
        • dxgiadaptercache.exe (PID: 6132 cmdline: C:\Windows\system32\dxgiadaptercache.exe MD5: 3E73262483D4FB1BB88BA1B2B9BB3D5A)
        • dxgiadaptercache.exe (PID: 1308 cmdline: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe MD5: 3E73262483D4FB1BB88BA1B2B9BB3D5A)
        • GamePanel.exe (PID: 668 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • GamePanel.exe (PID: 4140 cmdline: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • SystemSettingsRemoveDevice.exe (PID: 5192 cmdline: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe MD5: 87AF711D6518C0CF91560D7C98301BBB)
        • lpksetup.exe (PID: 4976 cmdline: C:\Windows\system32\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
        • lpksetup.exe (PID: 4968 cmdline: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe MD5: 8E2C63E761A22724382338F349C55014)
        • Narrator.exe (PID: 5480 cmdline: C:\Windows\system32\Narrator.exe MD5: 56036993FB96C42F30C443A11BD56F4D)
        • Narrator.exe (PID: 5616 cmdline: C:\Users\user\AppData\Local\ocY6\Narrator.exe MD5: 56036993FB96C42F30C443A11BD56F4D)
        • WindowsActionDialog.exe (PID: 5040 cmdline: C:\Windows\system32\WindowsActionDialog.exe MD5: 991359EE1E9C1958EB5D0F7314774123)
        • WindowsActionDialog.exe (PID: 1280 cmdline: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe MD5: 991359EE1E9C1958EB5D0F7314774123)
        • sessionmsg.exe (PID: 1112 cmdline: C:\Windows\system32\sessionmsg.exe MD5: 1F7CEA0216DE48B877C16F95C7DA1F0F)
        • sessionmsg.exe (PID: 1268 cmdline: C:\Users\user\AppData\Local\NNw\sessionmsg.exe MD5: 1F7CEA0216DE48B877C16F95C7DA1F0F)
    • rundll32.exe (PID: 5816 cmdline: rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4632 cmdline: rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.383288122.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    0000001A.00000002.410742595.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000004.00000002.324777282.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000027.00000002.514121758.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000029.00000002.543009513.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 7 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: P7n0h6OhYp.dllVirustotal: Detection: 65%Perma Link
            Source: P7n0h6OhYp.dllMetadefender: Detection: 60%Perma Link
            Source: P7n0h6OhYp.dllReversingLabs: Detection: 75%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: P7n0h6OhYp.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\NNw\DUser.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\ocY6\WINMM.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPLAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\A7mgbJ\dpx.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLLAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D88F8 CryptHashData,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D874C CryptHashData,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D8534 CryptDestroyHash,CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D8610 CryptGetHashParam,memset,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D8598 CryptAcquireContextW,CryptCreateHash,
            Source: P7n0h6OhYp.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: lpksetup.pdbGCTL source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
            Source: Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
            Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
            Source: Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
            Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
            Source: Binary string: irftp.pdbGCTL source: irftp.exe.6.dr
            Source: Binary string: MFPMP.pdb source: mfpmp.exe.6.dr
            Source: Binary string: Narrator.pdb source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
            Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe.6.dr
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
            Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe.6.dr
            Source: Binary string: DXGIAdapterCache.pdbGCTL source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
            Source: Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
            Source: Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
            Source: Binary string: SystemSettingsRemoveDevice.pdbGCTL source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
            Source: Binary string: Narrator.pdbGCTL source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
            Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe.6.dr
            Source: Binary string: DXGIAdapterCache.pdb source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
            Source: Binary string: lpksetup.pdb source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
            Source: Binary string: SystemSettingsRemoveDevice.pdb source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
            Source: Binary string: irftp.pdb source: irftp.exe.6.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5FC24 SetLastError,malloc,PathCchCombine,FindFirstFileW,GetLastError,free,malloc,PathCchCombine,DeleteFileW,FindNextFileW,RemoveDirectoryW,free,FindClose,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA65828 memset,PathCchCombine,memset,FindFirstFileW,PathCchCombine,PathFindExtensionW,_wcsicmp,_wcsicmp,_wcsicmp,PathCchCombine,free,free,free,free,FindNextFileW,FindClose,
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/ifg0es
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imfx4k
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imrx2o
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/v5do45
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/w5ryqn
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
            Source: GamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://aka.ms/wk9ocd
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/%ws
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
            Source: GamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://mixer.com/api/v1/broadcasts/current
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%d
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%ws
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/chats/%.0f
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/users/current
            Source: GamePanel.exeString found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
            Source: GamePanel.exeString found in binary or memory: https://www.xboxlive.com
            Source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drString found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A5F30 #12,GetSystemMetrics,GetSystemMetrics,CreateRectRgn,GetDCEx,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SetStretchBltMode,StretchBlt,CoCreateInstance,DeleteObject,DeleteDC,DeleteDC,DeleteObject,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A36145E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2C008C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A7FDC BlockInput,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,BlockInput,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000018.00000002.383288122.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.410742595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.324777282.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.514121758.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000029.00000002.543009513.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.449151118.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.247365585.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.254598295.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.261507768.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.267714415.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.476637367.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.354057356.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4DD98 GetLastError,ImageList_Destroy,FreeLibrary,FreeLibrary,ExitWindowsEx,GetLastError,free,SetLastError,ExitProcess,
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B2BA0
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B22B0
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC572C0
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC53400
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC54DD4
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC53D9C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35A43B8
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35BA250
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A359E224
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35FC2D8
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35F4198
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35F21AC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35B21AC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D48C0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3610728
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A357E7FC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3589AF0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A357A7EC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A36247E5
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35E0644
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D0620
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35AE560
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35C253C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A36145E0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DA5D0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3600C44
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35AED00
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DCCFC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3594CDC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35C6948
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35D89F4
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360A998
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360D010
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DAFF0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360EE40
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35C8F14
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35FED90
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35F4DD0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35C9484
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3617460
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DB454
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360137C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35A3260
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35EB26C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35A72C8
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3605190
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360B14C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35FB124
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360D788
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361D7A2
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DD6B0
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361FC59
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35ADC44
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35FBD14
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361DB6C
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3607A20
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35E1AD4
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35FF920
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A357B928
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35E7A00
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A357A058
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A360BF88
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361BFEC
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35DBE58
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35E5F08
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3573D38
            Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeCode function: 30_2_00007FF6C5E63708
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA90DAE
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA64FFC
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4C0E8
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4D0F0
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4B040
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4CAA0
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4BB10
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA25610
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA675F8
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA236D4
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA296C4
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4F7C8
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA6373C
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4E738
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5E718
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA931B6
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA731E8
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4A120
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA67194
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA602F8
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA2B248
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5023C
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5C290
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA66284
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4B3A0
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5E380
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA62370
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA414D0
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4F49C
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA634F0
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5141C
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA7248C
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA25490
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA4C490
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2B1374
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AD380
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A33C8
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2BEC64
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2BB93C
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2ABA60
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A7FDC
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2B0FC0
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AE7C0
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AFFC0
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A385C
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AD844
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A40A8
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AC540
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A5630
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AB660
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2C3E3C
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A7ED4
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A5F30
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeCode function: 39_2_00007FF6399546D8
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeCode function: 39_2_00007FF639953E8C
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C1E94
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C4A20
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C44E0
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C1778
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C3B58
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C3168
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: String function: 00007FF75CA24DC0 appears 90 times
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: String function: 00007FF75CA47A04 appears 234 times
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: String function: 00007FF7A35862E4 appears 62 times
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: String function: 00007FF7A3616AD8 appears 230 times
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: String function: 00007FF7A3576894 appears 49 times
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: String function: 00007FF7A3574D68 appears 192 times
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: String function: 00007FF7A35732F8 appears 394 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC54280 NtClose,
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC53400 GetLastError,NtClose,SetLastError,NtCreateTransaction,GetLastError,RegCloseKey,SetLastError,RegCreateKeyTransactedW,GetSystemTimeAsFileTime,RegGetValueW,RegGetValueW,RegGetValueW,RegGetValueW,RegGetValueW,RegOpenKeyTransactedW,RegGetValueW,RegGetValueW,GetLastError,RegCloseKey,SetLastError,RegDeleteTreeW,RegCloseKey,RegEnumKeyW,RegDeleteTreeW,RegSetValueExW,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35E6C44 RtlInitUnicodeString,NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5C6D8 NtIsUILanguageComitted,SetLastError,RegCloseKey,free,free,free,free,free,GetSystemDefaultUILanguage,EnumUILanguagesW,RegOpenKeyExW,SetLastError,RegEnumKeyExW,free,RegEnumKeyExW,LocaleNameToLCID,RegDeleteKeyW,_CxxThrowException,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5C664 NtGetMUIRegistryInfo,RtlNtStatusToDosError,SetLastError,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2A9330 NtQueryWnfStateData,
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: P7n0h6OhYp.dllBinary or memory string: OriginalFilenamekbdyj% vs P7n0h6OhYp.dll
            Source: GamePanel.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: lpksetup.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Narrator.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Narrator.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Narrator.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: irftp.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
            Source: DUI70.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: DUI70.dll0.6.drStatic PE information: Number of sections : 35 > 10
            Source: MFPlat.DLL.6.drStatic PE information: Number of sections : 35 > 10
            Source: WINSTA.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: P7n0h6OhYp.dllStatic PE information: Number of sections : 34 > 10
            Source: dxgi.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: WINMM.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: SYSDM.CPL.6.drStatic PE information: Number of sections : 35 > 10
            Source: UxTheme.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: DUser.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: dpx.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: MFC42u.dll.6.drStatic PE information: Number of sections : 35 > 10
            Source: P7n0h6OhYp.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINSTA.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dxgi.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dpx.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINMM.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUser.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SYSDM.CPL.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFPlat.DLL.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: P7n0h6OhYp.dllVirustotal: Detection: 65%
            Source: P7n0h6OhYp.dllMetadefender: Detection: 60%
            Source: P7n0h6OhYp.dllReversingLabs: Detection: 75%
            Source: P7n0h6OhYp.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dxgiadaptercache.exe C:\Windows\system32\dxgiadaptercache.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Narrator.exe C:\Windows\system32\Narrator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\ocY6\Narrator.exe C:\Users\user\AppData\Local\ocY6\Narrator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NNw\sessionmsg.exe C:\Users\user\AppData\Local\NNw\sessionmsg.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dxgiadaptercache.exe C:\Windows\system32\dxgiadaptercache.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\lpksetup.exe C:\Windows\system32\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Narrator.exe C:\Windows\system32\Narrator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\ocY6\Narrator.exe C:\Users\user\AppData\Local\ocY6\Narrator.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsActionDialog.exe C:\Windows\system32\WindowsActionDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sessionmsg.exe C:\Windows\system32\sessionmsg.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NNw\sessionmsg.exe C:\Users\user\AppData\Local\NNw\sessionmsg.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5FF90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,PrivilegeCheck,AdjustTokenPrivileges,CloseHandle,
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: irftp.exe.6.drBinary string: \Device\IrDAIrDA:TinyTP:LsapSelOBEX:IrXferOBEXControl Panel\InfraredControl Panel\Infrared\GlobalControl Panel\Infrared\IrTranPAllowSendShowTrayIconPlaySoundRecvdFilesLocationDisableIrTranPv1DisableIrCOMMExploreOnCompletionSaveAsUPFireventsIrMon: ReadUserPreferences::Failed to init sockets
            Source: classification engineClassification label: mal92.troj.evad.winDLL@49/23@0/0
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B3304 CoCreateInstance,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5DF98 GetWindowsDirectoryW,GetDiskFreeSpaceExW,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B41EC LoadStringW,GetLastError,LoadStringW,GetLastError,FormatMessageW,GetLastError,WinStationSendMessageW,GetLastError,LocalFree,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeMutant created: \Sessions\1\BaseNamedObjects\{70b75cb9-af4b-9a47-ae32-704b6f5b30ba}
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeMutant created: \Sessions\1\BaseNamedObjects\{abf78926-7d38-5169-88a8-6fd0cc7b22f5}
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35CB70C FindResourceW,LoadResource,LockResource,SizeofResource,
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: P7n0h6OhYp.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: P7n0h6OhYp.dllStatic file information: File size 1220608 > 1048576
            Source: P7n0h6OhYp.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: lpksetup.pdbGCTL source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
            Source: Binary string: WindowsActionDialog.pdb source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
            Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
            Source: Binary string: SessionMsg.pdb source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
            Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000015.00000002.355771432.00007FF73A1B8000.00000002.00020000.sdmp, RdpSa.exe.6.dr
            Source: Binary string: irftp.pdbGCTL source: irftp.exe.6.dr
            Source: Binary string: MFPMP.pdb source: mfpmp.exe.6.dr
            Source: Binary string: Narrator.pdb source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
            Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe.6.dr
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
            Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe.6.dr
            Source: Binary string: DXGIAdapterCache.pdbGCTL source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
            Source: Binary string: SessionMsg.pdbGCTL source: sessionmsg.exe, 00000029.00000000.518619141.00007FF7635CA000.00000002.00020000.sdmp, sessionmsg.exe.6.dr
            Source: Binary string: WindowsActionDialog.pdbGCTL source: WindowsActionDialog.exe, 00000027.00000000.492152009.00007FF63995B000.00000002.00020000.sdmp, WindowsActionDialog.exe.6.dr
            Source: Binary string: SystemSettingsRemoveDevice.pdbGCTL source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
            Source: Binary string: Narrator.pdbGCTL source: Narrator.exe, 00000025.00000000.481453109.00007FF69A2C7000.00000002.00020000.sdmp, Narrator.exe.6.dr
            Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe.6.dr
            Source: Binary string: DXGIAdapterCache.pdb source: dxgiadaptercache.exe, 00000018.00000002.386856196.00007FF64DC58000.00000002.00020000.sdmp, dxgiadaptercache.exe.6.dr
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.dr
            Source: Binary string: lpksetup.pdb source: lpksetup.exe, 00000022.00000000.454582465.00007FF75CA94000.00000002.00020000.sdmp, lpksetup.exe.6.dr
            Source: Binary string: SystemSettingsRemoveDevice.pdb source: SystemSettingsRemoveDevice.exe, 0000001E.00000002.451361109.00007FF6C5E66000.00000002.00020000.sdmp, SystemSettingsRemoveDevice.exe.6.dr
            Source: Binary string: irftp.pdb source: irftp.exe.6.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140056A4D push rdi; ret
            Source: P7n0h6OhYp.dllStatic PE information: section name: .qkm
            Source: P7n0h6OhYp.dllStatic PE information: section name: .cvjb
            Source: P7n0h6OhYp.dllStatic PE information: section name: .tlmkv
            Source: P7n0h6OhYp.dllStatic PE information: section name: .wucsxe
            Source: P7n0h6OhYp.dllStatic PE information: section name: .wnx
            Source: P7n0h6OhYp.dllStatic PE information: section name: .weqy
            Source: P7n0h6OhYp.dllStatic PE information: section name: .yby
            Source: P7n0h6OhYp.dllStatic PE information: section name: .ormx
            Source: P7n0h6OhYp.dllStatic PE information: section name: .dhclu
            Source: P7n0h6OhYp.dllStatic PE information: section name: .xmiul
            Source: P7n0h6OhYp.dllStatic PE information: section name: .tlwcxe
            Source: P7n0h6OhYp.dllStatic PE information: section name: .get
            Source: P7n0h6OhYp.dllStatic PE information: section name: .hzrd
            Source: P7n0h6OhYp.dllStatic PE information: section name: .qzu
            Source: P7n0h6OhYp.dllStatic PE information: section name: .tbbd
            Source: P7n0h6OhYp.dllStatic PE information: section name: .shoovi
            Source: P7n0h6OhYp.dllStatic PE information: section name: .wbmgl
            Source: P7n0h6OhYp.dllStatic PE information: section name: .aobcn
            Source: P7n0h6OhYp.dllStatic PE information: section name: .xdno
            Source: P7n0h6OhYp.dllStatic PE information: section name: .ipsw
            Source: P7n0h6OhYp.dllStatic PE information: section name: .cqpqq
            Source: P7n0h6OhYp.dllStatic PE information: section name: .skzqoj
            Source: P7n0h6OhYp.dllStatic PE information: section name: .nvjg
            Source: P7n0h6OhYp.dllStatic PE information: section name: .bbt
            Source: P7n0h6OhYp.dllStatic PE information: section name: .wsg
            Source: P7n0h6OhYp.dllStatic PE information: section name: .vqdhza
            Source: P7n0h6OhYp.dllStatic PE information: section name: .mgf
            Source: P7n0h6OhYp.dllStatic PE information: section name: .xusvuv
            Source: GamePanel.exe.6.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.6.drStatic PE information: section name: .didat
            Source: SystemSettingsRemoveDevice.exe.6.drStatic PE information: section name: .imrsiv
            Source: WindowsActionDialog.exe.6.drStatic PE information: section name: .imrsiv
            Source: sessionmsg.exe.6.drStatic PE information: section name: .imrsiv
            Source: mfpmp.exe.6.drStatic PE information: section name: .didat
            Source: WINSTA.dll.6.drStatic PE information: section name: .qkm
            Source: WINSTA.dll.6.drStatic PE information: section name: .cvjb
            Source: WINSTA.dll.6.drStatic PE information: section name: .tlmkv
            Source: WINSTA.dll.6.drStatic PE information: section name: .wucsxe
            Source: WINSTA.dll.6.drStatic PE information: section name: .wnx
            Source: WINSTA.dll.6.drStatic PE information: section name: .weqy
            Source: WINSTA.dll.6.drStatic PE information: section name: .yby
            Source: WINSTA.dll.6.drStatic PE information: section name: .ormx
            Source: WINSTA.dll.6.drStatic PE information: section name: .dhclu
            Source: WINSTA.dll.6.drStatic PE information: section name: .xmiul
            Source: WINSTA.dll.6.drStatic PE information: section name: .tlwcxe
            Source: WINSTA.dll.6.drStatic PE information: section name: .get
            Source: WINSTA.dll.6.drStatic PE information: section name: .hzrd
            Source: WINSTA.dll.6.drStatic PE information: section name: .qzu
            Source: WINSTA.dll.6.drStatic PE information: section name: .tbbd
            Source: WINSTA.dll.6.drStatic PE information: section name: .shoovi
            Source: WINSTA.dll.6.drStatic PE information: section name: .wbmgl
            Source: WINSTA.dll.6.drStatic PE information: section name: .aobcn
            Source: WINSTA.dll.6.drStatic PE information: section name: .xdno
            Source: WINSTA.dll.6.drStatic PE information: section name: .ipsw
            Source: WINSTA.dll.6.drStatic PE information: section name: .cqpqq
            Source: WINSTA.dll.6.drStatic PE information: section name: .skzqoj
            Source: WINSTA.dll.6.drStatic PE information: section name: .nvjg
            Source: WINSTA.dll.6.drStatic PE information: section name: .bbt
            Source: WINSTA.dll.6.drStatic PE information: section name: .wsg
            Source: WINSTA.dll.6.drStatic PE information: section name: .vqdhza
            Source: WINSTA.dll.6.drStatic PE information: section name: .mgf
            Source: WINSTA.dll.6.drStatic PE information: section name: .xusvuv
            Source: WINSTA.dll.6.drStatic PE information: section name: .vhvcw
            Source: dxgi.dll.6.drStatic PE information: section name: .qkm
            Source: dxgi.dll.6.drStatic PE information: section name: .cvjb
            Source: dxgi.dll.6.drStatic PE information: section name: .tlmkv
            Source: dxgi.dll.6.drStatic PE information: section name: .wucsxe
            Source: dxgi.dll.6.drStatic PE information: section name: .wnx
            Source: dxgi.dll.6.drStatic PE information: section name: .weqy
            Source: dxgi.dll.6.drStatic PE information: section name: .yby
            Source: dxgi.dll.6.drStatic PE information: section name: .ormx
            Source: dxgi.dll.6.drStatic PE information: section name: .dhclu
            Source: dxgi.dll.6.drStatic PE information: section name: .xmiul
            Source: dxgi.dll.6.drStatic PE information: section name: .tlwcxe
            Source: dxgi.dll.6.drStatic PE information: section name: .get
            Source: dxgi.dll.6.drStatic PE information: section name: .hzrd
            Source: dxgi.dll.6.drStatic PE information: section name: .qzu
            Source: dxgi.dll.6.drStatic PE information: section name: .tbbd
            Source: dxgi.dll.6.drStatic PE information: section name: .shoovi
            Source: dxgi.dll.6.drStatic PE information: section name: .wbmgl
            Source: dxgi.dll.6.drStatic PE information: section name: .aobcn
            Source: dxgi.dll.6.drStatic PE information: section name: .xdno
            Source: dxgi.dll.6.drStatic PE information: section name: .ipsw
            Source: dxgi.dll.6.drStatic PE information: section name: .cqpqq
            Source: dxgi.dll.6.drStatic PE information: section name: .skzqoj
            Source: dxgi.dll.6.drStatic PE information: section name: .nvjg
            Source: dxgi.dll.6.drStatic PE information: section name: .bbt
            Source: dxgi.dll.6.drStatic PE information: section name: .wsg
            Source: dxgi.dll.6.drStatic PE information: section name: .vqdhza
            Source: dxgi.dll.6.drStatic PE information: section name: .mgf
            Source: dxgi.dll.6.drStatic PE information: section name: .xusvuv
            Source: dxgi.dll.6.drStatic PE information: section name: .gcgbes
            Source: UxTheme.dll.6.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.6.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.6.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.6.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.6.drStatic PE information: section name: .wnx
            Source: UxTheme.dll.6.drStatic PE information: section name: .weqy
            Source: UxTheme.dll.6.drStatic PE information: section name: .yby
            Source: UxTheme.dll.6.drStatic PE information: section name: .ormx
            Source: UxTheme.dll.6.drStatic PE information: section name: .dhclu
            Source: UxTheme.dll.6.drStatic PE information: section name: .xmiul
            Source: UxTheme.dll.6.drStatic PE information: section name: .tlwcxe
            Source: UxTheme.dll.6.drStatic PE information: section name: .get
            Source: UxTheme.dll.6.drStatic PE information: section name: .hzrd
            Source: UxTheme.dll.6.drStatic PE information: section name: .qzu
            Source: UxTheme.dll.6.drStatic PE information: section name: .tbbd
            Source: UxTheme.dll.6.drStatic PE information: section name: .shoovi
            Source: UxTheme.dll.6.drStatic PE information: section name: .wbmgl
            Source: UxTheme.dll.6.drStatic PE information: section name: .aobcn
            Source: UxTheme.dll.6.drStatic PE information: section name: .xdno
            Source: UxTheme.dll.6.drStatic PE information: section name: .ipsw
            Source: UxTheme.dll.6.drStatic PE information: section name: .cqpqq
            Source: UxTheme.dll.6.drStatic PE information: section name: .skzqoj
            Source: UxTheme.dll.6.drStatic PE information: section name: .nvjg
            Source: UxTheme.dll.6.drStatic PE information: section name: .bbt
            Source: UxTheme.dll.6.drStatic PE information: section name: .wsg
            Source: UxTheme.dll.6.drStatic PE information: section name: .vqdhza
            Source: UxTheme.dll.6.drStatic PE information: section name: .mgf
            Source: UxTheme.dll.6.drStatic PE information: section name: .xusvuv
            Source: UxTheme.dll.6.drStatic PE information: section name: .xwee
            Source: DUI70.dll.6.drStatic PE information: section name: .qkm
            Source: DUI70.dll.6.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.6.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.6.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.6.drStatic PE information: section name: .wnx
            Source: DUI70.dll.6.drStatic PE information: section name: .weqy
            Source: DUI70.dll.6.drStatic PE information: section name: .yby
            Source: DUI70.dll.6.drStatic PE information: section name: .ormx
            Source: DUI70.dll.6.drStatic PE information: section name: .dhclu
            Source: DUI70.dll.6.drStatic PE information: section name: .xmiul
            Source: DUI70.dll.6.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll.6.drStatic PE information: section name: .get
            Source: DUI70.dll.6.drStatic PE information: section name: .hzrd
            Source: DUI70.dll.6.drStatic PE information: section name: .qzu
            Source: DUI70.dll.6.drStatic PE information: section name: .tbbd
            Source: DUI70.dll.6.drStatic PE information: section name: .shoovi
            Source: DUI70.dll.6.drStatic PE information: section name: .wbmgl
            Source: DUI70.dll.6.drStatic PE information: section name: .aobcn
            Source: DUI70.dll.6.drStatic PE information: section name: .xdno
            Source: DUI70.dll.6.drStatic PE information: section name: .ipsw
            Source: DUI70.dll.6.drStatic PE information: section name: .cqpqq
            Source: DUI70.dll.6.drStatic PE information: section name: .skzqoj
            Source: DUI70.dll.6.drStatic PE information: section name: .nvjg
            Source: DUI70.dll.6.drStatic PE information: section name: .bbt
            Source: DUI70.dll.6.drStatic PE information: section name: .wsg
            Source: DUI70.dll.6.drStatic PE information: section name: .vqdhza
            Source: DUI70.dll.6.drStatic PE information: section name: .mgf
            Source: DUI70.dll.6.drStatic PE information: section name: .xusvuv
            Source: DUI70.dll.6.drStatic PE information: section name: .dwthk
            Source: dpx.dll.6.drStatic PE information: section name: .qkm
            Source: dpx.dll.6.drStatic PE information: section name: .cvjb
            Source: dpx.dll.6.drStatic PE information: section name: .tlmkv
            Source: dpx.dll.6.drStatic PE information: section name: .wucsxe
            Source: dpx.dll.6.drStatic PE information: section name: .wnx
            Source: dpx.dll.6.drStatic PE information: section name: .weqy
            Source: dpx.dll.6.drStatic PE information: section name: .yby
            Source: dpx.dll.6.drStatic PE information: section name: .ormx
            Source: dpx.dll.6.drStatic PE information: section name: .dhclu
            Source: dpx.dll.6.drStatic PE information: section name: .xmiul
            Source: dpx.dll.6.drStatic PE information: section name: .tlwcxe
            Source: dpx.dll.6.drStatic PE information: section name: .get
            Source: dpx.dll.6.drStatic PE information: section name: .hzrd
            Source: dpx.dll.6.drStatic PE information: section name: .qzu
            Source: dpx.dll.6.drStatic PE information: section name: .tbbd
            Source: dpx.dll.6.drStatic PE information: section name: .shoovi
            Source: dpx.dll.6.drStatic PE information: section name: .wbmgl
            Source: dpx.dll.6.drStatic PE information: section name: .aobcn
            Source: dpx.dll.6.drStatic PE information: section name: .xdno
            Source: dpx.dll.6.drStatic PE information: section name: .ipsw
            Source: dpx.dll.6.drStatic PE information: section name: .cqpqq
            Source: dpx.dll.6.drStatic PE information: section name: .skzqoj
            Source: dpx.dll.6.drStatic PE information: section name: .nvjg
            Source: dpx.dll.6.drStatic PE information: section name: .bbt
            Source: dpx.dll.6.drStatic PE information: section name: .wsg
            Source: dpx.dll.6.drStatic PE information: section name: .vqdhza
            Source: dpx.dll.6.drStatic PE information: section name: .mgf
            Source: dpx.dll.6.drStatic PE information: section name: .xusvuv
            Source: dpx.dll.6.drStatic PE information: section name: .nxobd
            Source: WINMM.dll.6.drStatic PE information: section name: .qkm
            Source: WINMM.dll.6.drStatic PE information: section name: .cvjb
            Source: WINMM.dll.6.drStatic PE information: section name: .tlmkv
            Source: WINMM.dll.6.drStatic PE information: section name: .wucsxe
            Source: WINMM.dll.6.drStatic PE information: section name: .wnx
            Source: WINMM.dll.6.drStatic PE information: section name: .weqy
            Source: WINMM.dll.6.drStatic PE information: section name: .yby
            Source: WINMM.dll.6.drStatic PE information: section name: .ormx
            Source: WINMM.dll.6.drStatic PE information: section name: .dhclu
            Source: WINMM.dll.6.drStatic PE information: section name: .xmiul
            Source: WINMM.dll.6.drStatic PE information: section name: .tlwcxe
            Source: WINMM.dll.6.drStatic PE information: section name: .get
            Source: WINMM.dll.6.drStatic PE information: section name: .hzrd
            Source: WINMM.dll.6.drStatic PE information: section name: .qzu
            Source: WINMM.dll.6.drStatic PE information: section name: .tbbd
            Source: WINMM.dll.6.drStatic PE information: section name: .shoovi
            Source: WINMM.dll.6.drStatic PE information: section name: .wbmgl
            Source: WINMM.dll.6.drStatic PE information: section name: .aobcn
            Source: WINMM.dll.6.drStatic PE information: section name: .xdno
            Source: WINMM.dll.6.drStatic PE information: section name: .ipsw
            Source: WINMM.dll.6.drStatic PE information: section name: .cqpqq
            Source: WINMM.dll.6.drStatic PE information: section name: .skzqoj
            Source: WINMM.dll.6.drStatic PE information: section name: .nvjg
            Source: WINMM.dll.6.drStatic PE information: section name: .bbt
            Source: WINMM.dll.6.drStatic PE information: section name: .wsg
            Source: WINMM.dll.6.drStatic PE information: section name: .vqdhza
            Source: WINMM.dll.6.drStatic PE information: section name: .mgf
            Source: WINMM.dll.6.drStatic PE information: section name: .xusvuv
            Source: WINMM.dll.6.drStatic PE information: section name: .kdulth
            Source: DUI70.dll0.6.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.6.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.6.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.6.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.6.drStatic PE information: section name: .wnx
            Source: DUI70.dll0.6.drStatic PE information: section name: .weqy
            Source: DUI70.dll0.6.drStatic PE information: section name: .yby
            Source: DUI70.dll0.6.drStatic PE information: section name: .ormx
            Source: DUI70.dll0.6.drStatic PE information: section name: .dhclu
            Source: DUI70.dll0.6.drStatic PE information: section name: .xmiul
            Source: DUI70.dll0.6.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll0.6.drStatic PE information: section name: .get
            Source: DUI70.dll0.6.drStatic PE information: section name: .hzrd
            Source: DUI70.dll0.6.drStatic PE information: section name: .qzu
            Source: DUI70.dll0.6.drStatic PE information: section name: .tbbd
            Source: DUI70.dll0.6.drStatic PE information: section name: .shoovi
            Source: DUI70.dll0.6.drStatic PE information: section name: .wbmgl
            Source: DUI70.dll0.6.drStatic PE information: section name: .aobcn
            Source: DUI70.dll0.6.drStatic PE information: section name: .xdno
            Source: DUI70.dll0.6.drStatic PE information: section name: .ipsw
            Source: DUI70.dll0.6.drStatic PE information: section name: .cqpqq
            Source: DUI70.dll0.6.drStatic PE information: section name: .skzqoj
            Source: DUI70.dll0.6.drStatic PE information: section name: .nvjg
            Source: DUI70.dll0.6.drStatic PE information: section name: .bbt
            Source: DUI70.dll0.6.drStatic PE information: section name: .wsg
            Source: DUI70.dll0.6.drStatic PE information: section name: .vqdhza
            Source: DUI70.dll0.6.drStatic PE information: section name: .mgf
            Source: DUI70.dll0.6.drStatic PE information: section name: .xusvuv
            Source: DUI70.dll0.6.drStatic PE information: section name: .dua
            Source: DUser.dll.6.drStatic PE information: section name: .qkm
            Source: DUser.dll.6.drStatic PE information: section name: .cvjb
            Source: DUser.dll.6.drStatic PE information: section name: .tlmkv
            Source: DUser.dll.6.drStatic PE information: section name: .wucsxe
            Source: DUser.dll.6.drStatic PE information: section name: .wnx
            Source: DUser.dll.6.drStatic PE information: section name: .weqy
            Source: DUser.dll.6.drStatic PE information: section name: .yby
            Source: DUser.dll.6.drStatic PE information: section name: .ormx
            Source: DUser.dll.6.drStatic PE information: section name: .dhclu
            Source: DUser.dll.6.drStatic PE information: section name: .xmiul
            Source: DUser.dll.6.drStatic PE information: section name: .tlwcxe
            Source: DUser.dll.6.drStatic PE information: section name: .get
            Source: DUser.dll.6.drStatic PE information: section name: .hzrd
            Source: DUser.dll.6.drStatic PE information: section name: .qzu
            Source: DUser.dll.6.drStatic PE information: section name: .tbbd
            Source: DUser.dll.6.drStatic PE information: section name: .shoovi
            Source: DUser.dll.6.drStatic PE information: section name: .wbmgl
            Source: DUser.dll.6.drStatic PE information: section name: .aobcn
            Source: DUser.dll.6.drStatic PE information: section name: .xdno
            Source: DUser.dll.6.drStatic PE information: section name: .ipsw
            Source: DUser.dll.6.drStatic PE information: section name: .cqpqq
            Source: DUser.dll.6.drStatic PE information: section name: .skzqoj
            Source: DUser.dll.6.drStatic PE information: section name: .nvjg
            Source: DUser.dll.6.drStatic PE information: section name: .bbt
            Source: DUser.dll.6.drStatic PE information: section name: .wsg
            Source: DUser.dll.6.drStatic PE information: section name: .vqdhza
            Source: DUser.dll.6.drStatic PE information: section name: .mgf
            Source: DUser.dll.6.drStatic PE information: section name: .xusvuv
            Source: DUser.dll.6.drStatic PE information: section name: .xpfa
            Source: MFC42u.dll.6.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.6.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.6.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.6.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.6.drStatic PE information: section name: .wnx
            Source: MFC42u.dll.6.drStatic PE information: section name: .weqy
            Source: MFC42u.dll.6.drStatic PE information: section name: .yby
            Source: MFC42u.dll.6.drStatic PE information: section name: .ormx
            Source: MFC42u.dll.6.drStatic PE information: section name: .dhclu
            Source: MFC42u.dll.6.drStatic PE information: section name: .xmiul
            Source: MFC42u.dll.6.drStatic PE information: section name: .tlwcxe
            Source: MFC42u.dll.6.drStatic PE information: section name: .get
            Source: MFC42u.dll.6.drStatic PE information: section name: .hzrd
            Source: MFC42u.dll.6.drStatic PE information: section name: .qzu
            Source: MFC42u.dll.6.drStatic PE information: section name: .tbbd
            Source: MFC42u.dll.6.drStatic PE information: section name: .shoovi
            Source: MFC42u.dll.6.drStatic PE information: section name: .wbmgl
            Source: MFC42u.dll.6.drStatic PE information: section name: .aobcn
            Source: MFC42u.dll.6.drStatic PE information: section name: .xdno
            Source: MFC42u.dll.6.drStatic PE information: section name: .ipsw
            Source: MFC42u.dll.6.drStatic PE information: section name: .cqpqq
            Source: MFC42u.dll.6.drStatic PE information: section name: .skzqoj
            Source: MFC42u.dll.6.drStatic PE information: section name: .nvjg
            Source: MFC42u.dll.6.drStatic PE information: section name: .bbt
            Source: MFC42u.dll.6.drStatic PE information: section name: .wsg
            Source: MFC42u.dll.6.drStatic PE information: section name: .vqdhza
            Source: MFC42u.dll.6.drStatic PE information: section name: .mgf
            Source: MFC42u.dll.6.drStatic PE information: section name: .xusvuv
            Source: MFC42u.dll.6.drStatic PE information: section name: .wuijw
            Source: SYSDM.CPL.6.drStatic PE information: section name: .qkm
            Source: SYSDM.CPL.6.drStatic PE information: section name: .cvjb
            Source: SYSDM.CPL.6.drStatic PE information: section name: .tlmkv
            Source: SYSDM.CPL.6.drStatic PE information: section name: .wucsxe
            Source: SYSDM.CPL.6.drStatic PE information: section name: .wnx
            Source: SYSDM.CPL.6.drStatic PE information: section name: .weqy
            Source: SYSDM.CPL.6.drStatic PE information: section name: .yby
            Source: SYSDM.CPL.6.drStatic PE information: section name: .ormx
            Source: SYSDM.CPL.6.drStatic PE information: section name: .dhclu
            Source: SYSDM.CPL.6.drStatic PE information: section name: .xmiul
            Source: SYSDM.CPL.6.drStatic PE information: section name: .tlwcxe
            Source: SYSDM.CPL.6.drStatic PE information: section name: .get
            Source: SYSDM.CPL.6.drStatic PE information: section name: .hzrd
            Source: SYSDM.CPL.6.drStatic PE information: section name: .qzu
            Source: SYSDM.CPL.6.drStatic PE information: section name: .tbbd
            Source: SYSDM.CPL.6.drStatic PE information: section name: .shoovi
            Source: SYSDM.CPL.6.drStatic PE information: section name: .wbmgl
            Source: SYSDM.CPL.6.drStatic PE information: section name: .aobcn
            Source: SYSDM.CPL.6.drStatic PE information: section name: .xdno
            Source: SYSDM.CPL.6.drStatic PE information: section name: .ipsw
            Source: SYSDM.CPL.6.drStatic PE information: section name: .cqpqq
            Source: SYSDM.CPL.6.drStatic PE information: section name: .skzqoj
            Source: SYSDM.CPL.6.drStatic PE information: section name: .nvjg
            Source: SYSDM.CPL.6.drStatic PE information: section name: .bbt
            Source: SYSDM.CPL.6.drStatic PE information: section name: .wsg
            Source: SYSDM.CPL.6.drStatic PE information: section name: .vqdhza
            Source: SYSDM.CPL.6.drStatic PE information: section name: .mgf
            Source: SYSDM.CPL.6.drStatic PE information: section name: .xusvuv
            Source: SYSDM.CPL.6.drStatic PE information: section name: .vmsby
            Source: MFPlat.DLL.6.drStatic PE information: section name: .qkm
            Source: MFPlat.DLL.6.drStatic PE information: section name: .cvjb
            Source: MFPlat.DLL.6.drStatic PE information: section name: .tlmkv
            Source: MFPlat.DLL.6.drStatic PE information: section name: .wucsxe
            Source: MFPlat.DLL.6.drStatic PE information: section name: .wnx
            Source: MFPlat.DLL.6.drStatic PE information: section name: .weqy
            Source: MFPlat.DLL.6.drStatic PE information: section name: .yby
            Source: MFPlat.DLL.6.drStatic PE information: section name: .ormx
            Source: MFPlat.DLL.6.drStatic PE information: section name: .dhclu
            Source: MFPlat.DLL.6.drStatic PE information: section name: .xmiul
            Source: MFPlat.DLL.6.drStatic PE information: section name: .tlwcxe
            Source: MFPlat.DLL.6.drStatic PE information: section name: .get
            Source: MFPlat.DLL.6.drStatic PE information: section name: .hzrd
            Source: MFPlat.DLL.6.drStatic PE information: section name: .qzu
            Source: MFPlat.DLL.6.drStatic PE information: section name: .tbbd
            Source: MFPlat.DLL.6.drStatic PE information: section name: .shoovi
            Source: MFPlat.DLL.6.drStatic PE information: section name: .wbmgl
            Source: MFPlat.DLL.6.drStatic PE information: section name: .aobcn
            Source: MFPlat.DLL.6.drStatic PE information: section name: .xdno
            Source: MFPlat.DLL.6.drStatic PE information: section name: .ipsw
            Source: MFPlat.DLL.6.drStatic PE information: section name: .cqpqq
            Source: MFPlat.DLL.6.drStatic PE information: section name: .skzqoj
            Source: MFPlat.DLL.6.drStatic PE information: section name: .nvjg
            Source: MFPlat.DLL.6.drStatic PE information: section name: .bbt
            Source: MFPlat.DLL.6.drStatic PE information: section name: .wsg
            Source: MFPlat.DLL.6.drStatic PE information: section name: .vqdhza
            Source: MFPlat.DLL.6.drStatic PE information: section name: .mgf
            Source: MFPlat.DLL.6.drStatic PE information: section name: .xusvuv
            Source: MFPlat.DLL.6.drStatic PE information: section name: .pod
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5E1C0 LoadLibraryW,GetProcAddress,SetLastError,GetProcessHeap,HeapFree,FreeLibrary,
            Source: DUI70.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17e0d3
            Source: DUI70.dll0.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x175312
            Source: MFPlat.DLL.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13a28e
            Source: WINSTA.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x130e59
            Source: P7n0h6OhYp.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x12bd58
            Source: dxgi.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12efaf
            Source: WINMM.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x136255
            Source: SYSDM.CPL.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x130324
            Source: UxTheme.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x139326
            Source: DUser.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13a09a
            Source: dpx.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13493d
            Source: MFC42u.dll.6.drStatic PE information: real checksum: 0x7d786c40 should be: 0x134998
            Source: RdpSa.exe.6.drStatic PE information: 0xF201B8C4 [Sat Aug 30 01:05:08 2098 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tiy3x\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aDD0Ov\dxgi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ocY6\WINMM.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pEPyA\mfpmp.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NNw\DUser.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A7mgbJ\dpx.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\ocY6\Narrator.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NNw\sessionmsg.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\j3KBEEMS\irftp.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5E024 LoadLibraryExW,GetProcAddress,GetProcessHeap,HeapAlloc,SetLastError,LoadStringW,SetLastError,SetLastError,GetProcessHeap,HeapFree,FreeLibrary,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AC540 GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetLastError,ShowWindow,IsIconic,GetWindowRect,CoCreateInstance,GetProcAddress,ShellExecuteW,PostQuitMessage,PostMessageW,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA2B248 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,FreeLibrary,memset,memcpy,memset,GetLastError,memset,GetLastError,GetLastError,memset,GetLastError,GetLastError,memset,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 4416Thread sleep count: 44 > 30
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\pEPyA\MFPlat.DLLJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\ocY6\WINMM.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\pEPyA\mfpmp.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\j3KBEEMS\irftp.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5D288 GetLocalTime followed by cmp: cmp dx, 0018h and CTI: jbe 00007FF75CA5D3C8h
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA2B248 rdtsc
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5FC24 SetLastError,malloc,PathCchCombine,FindFirstFileW,GetLastError,free,malloc,PathCchCombine,DeleteFileW,FindNextFileW,RemoveDirectoryW,free,FindClose,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA65828 memset,PathCchCombine,memset,FindFirstFileW,PathCchCombine,PathFindExtensionW,_wcsicmp,_wcsicmp,_wcsicmp,PathCchCombine,free,free,free,free,FindNextFileW,FindClose,
            Source: explorer.exe, 00000006.00000000.250299245.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.292788687.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000006.00000000.256548846.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000006.00000000.251030851.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000006.00000000.256548846.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC56914 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C72D0 GetLastError,_vsnprintf,OutputDebugStringA,SetLastError,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5E1C0 LoadLibraryW,GetProcAddress,SetLastError,GetProcessHeap,HeapFree,FreeLibrary,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B1124 SysFreeString,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA2B248 rdtsc
            Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A35AED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B7330 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B75B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC56914 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC56F00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeCode function: 24_2_00007FF64DC570A0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361BF20 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A361BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeCode function: 30_2_00007FF6C5E64694 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeCode function: 30_2_00007FF6C5E64360 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA90028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA90640 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2C3B8C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2C3D68 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2C35E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeCode function: 39_2_00007FF639958450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeCode function: 39_2_00007FF639958750 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C7E80 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeCode function: 41_2_00007FF7635C7AA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: WINSTA.dll.6.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3618CAC mouse_event,SetForegroundWindow,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5C290 memset,memset,memset,memset,memset,memset,memset,memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,GetLastError,GetLastError,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: 26_2_00007FF7A3616418 AllocateAndInitializeSid,GetLastError,CloseHandle,SetLastError,OpenProcessToken,GetLastError,CloseHandle,SetLastError,DuplicateToken,CheckTokenMembership,GetLastError,FreeSid,CloseHandle,CloseHandle,
            Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000006.00000000.264233925.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000006.00000000.293021338.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NNw\sessionmsg.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize,
            Source: C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exeCode function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: GetSystemDefaultUILanguage,GetLocaleInfoW,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: GetLocaleInfoEx,GetLocaleInfoEx,free,_CxxThrowException,_CxxThrowException,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B74C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5C018 memset,GetVersionExW,GetProductInfo,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B4A50 GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,
            Source: C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exeCode function: 21_2_00007FF73A1B6AB4 memset,CreateBindCtx,StringFromCLSID,MkParseDisplayName,CoTaskMemFree,
            Source: C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exeCode function: 34_2_00007FF75CA5B6B0 SHGetDataFromIDListW,SHBindToFolderIDListParent,StrRetToStrW,PathMatchSpecExW,CoTaskMemFree,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2AE7C0 wcspbrk,#4,#6,#4,#6,#4,#6,#6,#6,GetKeyboardLayout,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,#6,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?SetContentString@Element@DirectUI@@QEAAJPEBG@Z,#6,#6,#2,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,SendMessageW,SendMessageW,memset,LoadStringW,SendMessageW,LoadStringW,SendMessageW,#8,#9,CoCreateInstance,AccSetRunningUtilityState,memset,#8,#9,
            Source: C:\Users\user\AppData\Local\ocY6\Narrator.exeCode function: 37_2_00007FF69A2ADDC8 AccSetRunningUtilityState,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?SyncDestroyWindow@NativeHWNDHost@DirectUI@@QEAAXXZ,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture31System Time Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsExploitation for Client Execution1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesInput Capture31Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing2NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading11DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRundll321Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492431 Sample: P7n0h6OhYp Startdate: 28/09/2021 Architecture: WINDOWS Score: 92 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected Dridex unpacked file 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 64 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\MFPlat.DLL, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\ocY6\WINMM.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\MFC42u.dll, PE32+ 19->37 dropped 39 19 other files (7 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 SystemSettingsRemoveDevice.exe 19->25         started        27 GamePanel.exe 19->27         started        29 dxgiadaptercache.exe 19->29         started        31 13 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            P7n0h6OhYp.dll66%VirustotalBrowse
            P7n0h6OhYp.dll60%MetadefenderBrowse
            P7n0h6OhYp.dll76%ReversingLabsWin64.Infostealer.Dridex
            P7n0h6OhYp.dll100%AviraTR/Crypt.ZPACK.Gen

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\NNw\DUser.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\ocY6\WINMM.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\aDD0Ov\dxgi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\A7mgbJ\dpx.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\pEPyA\MFPlat.DLL100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe0%ReversingLabs
            C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exe0%ReversingLabs
            C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            30.2.SystemSettingsRemoveDevice.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            41.2.sessionmsg.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.dxgiadaptercache.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            39.2.WindowsActionDialog.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            10.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.lpksetup.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.RdpSa.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            26.2.GamePanel.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://mixer.com/api/v1/oauth/xbl/loginGamePanel.exefalse
              		high
              https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRawGamePanel.exefalse
                		high
                https://aka.ms/imrx2oGamePanel.exefalse
                  		high
                  https://mixer.com/_latest/assets/emoticons/%ls.pngGamePanel.exefalse
                    		high
                    https://mixer.com/api/v1/users/currentGamePanel.exefalse
                      		high
                      https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimediaGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                        		high
                        https://mixer.com/api/v1/broadcasts/currentGamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                          		high
                          https://mixer.com/%wsWindows.System.LauncherGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                            		high
                            https://aka.ms/v5do45GamePanel.exefalse
                              		high
                              https://mixer.com/api/v1/types/lookup%wsGamePanel.exefalse
                                		high
                                https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/AugmenthGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                  		high
                                  https://aka.ms/wk9ocdGamePanel.exe, GamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                    		high
                                    https://MediaData.XboxLive.com/broadcasts/AugmentGamePanel.exefalse
                                      		high
                                      https://aka.ms/imfx4kGamePanel.exefalse
                                        		high
                                        https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameDGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://MediaData.XboxLive.com/gameclips/AugmentGamePanel.exefalse
                                          		high
                                          https://www.xboxlive.comGamePanel.exefalse
                                            		high
                                            https://mixer.com/api/v1/channels/%dGamePanel.exefalse
                                              		high
                                              https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/vGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                                		high
                                                https://mixer.com/api/v1/channels/%wsGamePanel.exefalse
                                                  		high
                                                  https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamCGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                                    		high
                                                    https://MediaData.XboxLive.com/screenshots/AugmentGamePanel.exefalse
                                                      		high
                                                      https://mixer.com/api/v1/chats/%.0fGamePanel.exefalse
                                                        		high
                                                        https://aka.ms/ifg0esGamePanel.exefalse
                                                          		high
                                                          https://mixer.com/%wsGamePanel.exefalse
                                                            		high
                                                            https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTINGGamePanel.exe, 0000001A.00000000.388756737.00007FF7A3627000.00000002.00020000.sdmp, GamePanel.exe.6.drfalse
                                                              		high
                                                              https://aka.ms/w5ryqnGamePanel.exefalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:492431
                                                                Start date:28.09.2021
                                                                Start time:17:44:10
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 16m 29s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:P7n0h6OhYp (renamed file extension from none to dll)
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:41
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal92.troj.evad.winDLL@49/23@0/0
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 17.1% (good quality ratio 11.4%)
                                                                • Quality average: 55.1%
                                                                • Quality standard deviation: 44.7%
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Override analysis time to 240s for rundll32
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 20.199.120.182, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.199.120.85, 20.199.120.151, 20.54.110.249
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtEnumerateKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):43008
                                                                Entropy (8bit):5.898730459072675
                                                                Encrypted:false
                                                                SSDEEP:768:2nweYBCOBU+khtTMstnGUEqbfynaDWVVVFZ5i7t4AYRyF:TiaU+1qDya6VV7Z5SudyF
                                                                MD5:0795B6F790F8E52D55F39E593E9C5BBA
                                                                SHA1:6A9991A1762AAC176E3F47AB210CC121E038E4F9
                                                                SHA-256:DF5B698983C3F08265F2FB0B74046CD7E68568190F329C8331CCA4761256D33B
                                                                SHA-512:72D332EBDD1B9B40E18F565DACC200E5B710A91D803D536A0CF127C74622EED12A5EC855B9040F4A1FA8A44584E4E97E7E6C490B88DB3BDAFE61EA3FBF26AB59
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.G.i.).i.).i.).`..o.)...*.k.)...-.}.)...,.j.)...(.|.).i.(..)... .}.).....h.)...+.h.).Richi.).........................PE..d................"......j...@.......q.........@....................................|.....`.......... ..........................................................<...................@...T...........................@...............@................................text....h.......j.................. ..`.rdata..n'.......(...n..............@..@.data...............................@....pdata..<...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\1wgM9CYx\WINSTA.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.569298691821607
                                                                Encrypted:false
                                                                SSDEEP:12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:9446475335E74BA8A8FBB0863D2FA19E
                                                                SHA1:EECFA79E25A906C917F69F7AD13A9BAB343D3324
                                                                SHA-256:7D42C3126F5D68841B75860988EED65ED25C60B0BF8C440DF69D1989F2237DDA
                                                                SHA-512:2EFE24102003E7EFE2C09C3113AADFDEA7F46A9A9F1FED4A843C5C7B7B18D7A88E7B4283246F1E0B1447C5D842FCF40C3B03483A2168038EF77396B0AD9AE5AB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b.............................................m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\4PmTNr\SYSDM.CPL
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1224704
                                                                Entropy (8bit):5.550400298505411
                                                                Encrypted:false
                                                                SSDEEP:12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:D2C51612B8B57401F713D8F071BFF4A8
                                                                SHA1:469C602B01FC845F75925383CA82C47572C11E33
                                                                SHA-256:6BE3E11BD01ED11EA0E16FF7236148E9121CD9FA5443617ECD3A4051B4587EB2
                                                                SHA-512:77C3BEE1D42A55D5AED6DCCCDD1ECEB423603E38F40768E7CB19BB62E3A20EFBC05E13C585794A9B426394E0219BBC1D38CEB5266168D20BD963793D12B622F9
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\4PmTNr\SystemPropertiesComputerName.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):83968
                                                                Entropy (8bit):7.0666667890606005
                                                                Encrypted:false
                                                                SSDEEP:1536:/pmuZctREC/rMcgEPJV+G57ThjEC0kzJP+V5Jp:xHczECTMpuDhjRVJGr
                                                                MD5:BEE134E1F23AFD3AE58191D265BB9070
                                                                SHA1:52178976E1B4405157042CD3A095BE6D7975609A
                                                                SHA-256:7F258CE17EA09F076A767A2D3CC0A06F3AEF07169BFD6A16265B8958758FD799
                                                                SHA-512:AEDFF7C45288A1CF69616B9887FC091F0913BEFA0EA7642C6A18DB50E4D6369CDC73730B8E6BE4FEDB4EB5EC28729AED39845B2E6F0C0685EBFF60106B54C1A9
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d....F$..........."..........>.................@..........................................`.......... .......................................&.......P..H'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\A7mgbJ\dpx.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1224704
                                                                Entropy (8bit):5.5489777308997486
                                                                Encrypted:false
                                                                SSDEEP:12288:wVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:1fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:1FC2D12E05D6165CF883A06F0773D56C
                                                                SHA1:C8D122CEC8C54514279E5784F8F118AC71143F1F
                                                                SHA-256:501457FF96C202C5D2DCD3B17AD157821A890B1922A51457FB4B5898A22D0A7D
                                                                SHA-512:82590111BC62F9D941EB2D18ACAD42B5C9AEF1FCE760E59B36339BCB7BA9E5A76F49BB09B9AEA16D174D6ECB9C091E40DD4BE5927C147B2513A04C5A0150ED5A
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):732160
                                                                Entropy (8bit):6.573630291630044
                                                                Encrypted:false
                                                                SSDEEP:12288:U4O7JpqBbsczjBmavlNRO5Gy1ay0OBegtkGyLY9d/Dz/sJ+lGDyYgWPL/kc7yfnQ:U40JpqtZzjBRvI5Gdy0OjtwLY9BDz/PW
                                                                MD5:8E2C63E761A22724382338F349C55014
                                                                SHA1:30C7F92A6E88C368B091E39665545EAFA8A6561F
                                                                SHA-256:4CA6E16BEB57278E60E3EDCBCECDA1442AA344C424421E4B078F1213E6B99376
                                                                SHA-512:92F289DDBD9D1E5103C36308DA84779708A292DC54F49A0A1B79D65C563378BBF08C98F3732F25365CCF8175589D8E6187CEE2A694AE5FB73CA9E85AECFF4CF1
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W..6...e...e...e..%e3..e|.d...e|.d...e|.d...e|.d...e...ec..e|.d6..e|.Ie...e|.d...eRich...e................PE..d.....e.........."......,...P.................@..........................................`.......... .........................................................H?...................g..T....................y..(....x...............y..P............................text....+.......,.................. ..`.rdata..\....@.......0..............@..@.data...`[...0......................@....pdata..H?.......@..................@..@.rsrc...............^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\JrFH9qPBX\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1507328
                                                                Entropy (8bit):5.9083215743400475
                                                                Encrypted:false
                                                                SSDEEP:12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1D:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:1F157DCF2EA98E51B56AA2BDAC6965F1
                                                                SHA1:0A5B46F1186CB468E4D4170131D81ACD53780DE8
                                                                SHA-256:EEEAE364DE658FBB44E163EE517DDD26113AE82209537985019508F27BB56839
                                                                SHA-512:C05CD804C03C5A6DD90D48DCB622519476A7DCAB76CB16C3156A911C912D2AD58F057C9E95471D2DD7BF6180F4ACCFA3562A5AD006971BE3A460E3867FFD294E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):59392
                                                                Entropy (8bit):5.897489723280295
                                                                Encrypted:false
                                                                SSDEEP:1536:VgSmVr7b1rKOX4TfOwQaq1WWhrIWSNJy8e:eZVrAThqLfSNwV
                                                                MD5:991359EE1E9C1958EB5D0F7314774123
                                                                SHA1:6456AEA32407B0AEEDD347AFAE5BB12BAB781863
                                                                SHA-256:9F8E465348DBB165B7B0E6A72FCC78D2CE79FB897B1514490CD0DDAB021EA500
                                                                SHA-512:EE6D10A0B75829AAAB55CB9F9EDA967D763F7CACD09F944A9C40B8E5ADDD6BBB6970F069FC64FA1807B547134B3558667A680174AB0366D11A068C6DD70BC3F3
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .%.A.v.A.v.A.v.9Wv.A.v.%.w.A.v.%.w.A.v.%.w.A.v.%.w.A.v.A.v.A.v.%.w.A.v.%;v.A.v.%.w.A.vRich.A.v................PE..d....i..........."..........j.................@.............................@.......'............... ..........................................h.... .......................0......p...T...............................................H............................text............................... ..`.imrsiv..................................rdata...H.......J..................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\NNw\DUser.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.556665134508183
                                                                Encrypted:false
                                                                SSDEEP:12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:8BE2E7C88B219670F9D927F52CBF64AB
                                                                SHA1:FD54D3C22B126F4D05FA1C8C86553BF7F578211E
                                                                SHA-256:53D9DF119574CA82FAB8D369AE5FFFB51E359963D19443B4789FC8AB0F7A1229
                                                                SHA-512:64349D7B8524EC1BD86699AA98D669F9450BC8461D9A2B46A26423E7B519E66BD5E96AD15FE3706E1571663F6E4A4ACC796F54E59B62FF98837975EC8D0FCD3F
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\NNw\sessionmsg.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):74440
                                                                Entropy (8bit):6.20617662830101
                                                                Encrypted:false
                                                                SSDEEP:1536:uC9DVLLFwi//NFlWPP0mTluh1AzxJIdqqP86mSsrvNJYKPd:L3FR/F7+0mTwhswdqqk6mS4RF
                                                                MD5:1F7CEA0216DE48B877C16F95C7DA1F0F
                                                                SHA1:BBF654AC3D1EEC107CF18B9A7AF15FA1ED0F6075
                                                                SHA-256:0E585A4A11586B921D103433AFA215EC419A5ED2940EFD084A47B871F43CC786
                                                                SHA-512:3E724732D4EAA863263D2D4259FF2DF8132486418D23DBBE572E72B766416F2F7100C54EC5F776085F3EB04C33521D50895DDA1DE2947814AB67FEED55E89F50
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[..?...[..?...[..?...[..?...[...[...[..?...[..?<..[..?...[..Rich.[..........................PE..d.....#E.........."......|...........y.........@....................................s,............... ...............................................P..`....@..l........$...p......`...T............................................................................text....{.......|.................. ..`.imrsiv..................................rdata...Y.......Z..................@..@.data....0..........................@....pdata..l....@......................@..@.rsrc...`....P......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1292288
                                                                Entropy (8bit):6.159394598062476
                                                                Encrypted:false
                                                                SSDEEP:24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
                                                                MD5:4EF330EFAE954723B1F2800C15FDA7EB
                                                                SHA1:3E152C0B10E107926D6A213C882C161D80B836C9
                                                                SHA-256:0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
                                                                SHA-512:C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...|..............@..B................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Rn1XW4tG\UxTheme.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1224704
                                                                Entropy (8bit):5.563729164487592
                                                                Encrypted:false
                                                                SSDEEP:12288:IVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:dfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:EF86C1D91B1F2E166ABA2D6B26A78954
                                                                SHA1:17E7E4E3E5256A7FC6B71685FB664A508D667F0F
                                                                SHA-256:BFAAF4481E907EDBA8750C33DDE921D2082BED81360E489755BFB90741BA863C
                                                                SHA-512:E8FECED9F2F869A137E9EB0B34AF4AD5F52707980E3FC680BA4626A62239BBD4BA2BD8A2853EA7FBDA4857835ABA3B26A2690247624CFC3DE7CE2DBD3A36A2F9
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\aDD0Ov\dxgi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1224704
                                                                Entropy (8bit):5.551938872046831
                                                                Encrypted:false
                                                                SSDEEP:12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:8F188E3515ABBE7DEF3D367E6FF172EA
                                                                SHA1:BADD8B732673F23A47684975FB1AD72F80A62B4A
                                                                SHA-256:07640C740940FAC78881C737B4372A4BD5468801250A384936A5BE4718C1AB50
                                                                SHA-512:1005C91C926389B9E6F5236B1386048A459A57CF8B7811DD0CA1B48A164BFA4AB5848A722453AF1D0654B0BF790EF071D692479EE0587E5B99E98FDB8FDEB5CA
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):45568
                                                                Entropy (8bit):5.76587079771977
                                                                Encrypted:false
                                                                SSDEEP:768:amW9V/ozvl7zYwl625N5s/NSUDUaDXqtqaBlrr8Nwcq40Jsbr8JWPgsygYADRBd8:xFzvllQ4cSUDJDdaT+weYWqfwzd8
                                                                MD5:3E73262483D4FB1BB88BA1B2B9BB3D5A
                                                                SHA1:27938C7A5DD113EC9EC644048070B9F1BCA7DEAA
                                                                SHA-256:5E51AB3594D8B1E451DA1180FAF2A0E6D597725B8E63C4928B66E1DBA5D9CB86
                                                                SHA-512:E0426B343455E022D03D9C1DDA49125E13E1354AD6DED20E64CEC83E71DCCC907EC0D1D510578E698A7F511EE428A819A7DA701B096E812E780B27BF26E71B42
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.y...*...*...*.d'*...*.x.+...*.x.+...*.x.+...*...*...*.x.+...*.x.+...*.xI*...*.xK*...*.x.+...*Rich...*........PE..d....2............"......l...J.......h.........@..........................................`.......... .................................................. .......................\...`...T............................................................................text....k.......l.................. ..`.rdata.../.......0...p..............@..@.data...............................@....pdata..............................@..@.rsrc... ...........................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\j3KBEEMS\MFC42u.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1249280
                                                                Entropy (8bit):5.572733209255193
                                                                Encrypted:false
                                                                SSDEEP:12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1/f:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb/
                                                                MD5:81AEBC0D9D866D52F0D2603386185771
                                                                SHA1:110C09770C10EF6E43CD94DA6D6C1D17422299A0
                                                                SHA-256:690F82C84EF602EB4D2DAC3E25C42A21D07054A498BF987E5273266EBCB03828
                                                                SHA-512:8B23322C46EC3160D400AEB8F45E0DF6E6424030DF4BD5FD87062C72BF7DA3AF56A182DB4C0F0441544B805E92F78827BE40DBDFEBAE3C0F1E9FE7DEB2B4D7B1
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..............................................l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\j3KBEEMS\irftp.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):184832
                                                                Entropy (8bit):5.862106385432374
                                                                Encrypted:false
                                                                SSDEEP:3072:gzPq/xfWlkWmvIGaYLZ4yjchpChlyelcU4uuh0SEslWsXxgCzX0Fhf8LL8FT7:Eq5fWlkjuYLLtHyeFSEiXxZzb8FT
                                                                MD5:F1C2D10CA8161DB689CD4FDE756E2DBB
                                                                SHA1:C41E86E9755824D3775E2AD6CAC9A46C7AA1C417
                                                                SHA-256:8854450FEAD134B24FABF4B805434FCFDDF25D2179048410728F8901E0FE0906
                                                                SHA-512:5EBB1AD4261C689E22FE34CFB0C18D71451DD4F3694D8F521D181EB42FF90582D8EF8C8AB43BFC59D224452944D9602DB1030B633856E139442EEF0C2F4428F5
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PU...4}..4}..4}.{P~..4}.{Py..4}.{Px..4}.{P|..4}..4|.c5}.{Pt.74}.{P...4}.{P...4}.Rich.4}.........................PE..d....v.4.........."......6...........4.........@..........................................`.......... ......................................T...,....p..0....`..t............p..........T...........................@i..............@j...............................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data....|..........................@....pdata..t....`......................@..@.rsrc...0....p......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\ocY6\Narrator.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):349696
                                                                Entropy (8bit):6.567354682144278
                                                                Encrypted:false
                                                                SSDEEP:3072:2v1g/YrkRsWlO3nWOgV1M2uMFS/BaMiXbAJUoTq7XLtqkXIJA9QD4hLtcRiWh6f3:2vSckvCWOgB6YsyzZBL+RQFgZKUV
                                                                MD5:56036993FB96C42F30C443A11BD56F4D
                                                                SHA1:93367421725D818963F337F179EE61710BB2ABD3
                                                                SHA-256:D3A728CFC32D43A9C96A45EFE6B3B7A21A8435F758C1C382978047982B6ADBB0
                                                                SHA-512:E3DBC40DC7717BB9EC31657126FFA29D69362EE570BAC3D5B31918876261CF9E6954FDB31C2145788FF186E01A29A1696B914B626797CC8BC46F5FCB43D90F23
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E[...[...[...R.B.S...4...U...4...X...4...E...4...B...[.......4...q...4.,.Z...4...Z...4...Z...Rich[...........................PE..d................."......V...........5.........@....................................GV....`.......... ......................................H>..T.......................................T...............................................P............................text....U.......V.................. ..`.rdata..p2...p...4...Z..............@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\ocY6\WINMM.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.55817362410966
                                                                Encrypted:false
                                                                SSDEEP:12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:787D5F31C2547CD098B78D078B242B65
                                                                SHA1:8E00544A583694062D1668BD905E4F1692EC7CCF
                                                                SHA-256:FC40BA104B2291E47E261DBE6E89B0C770AED13CD4580388C7F888341F972BF6
                                                                SHA-512:BAD736ED84B4E58B0A833524433266B6F68830C6091C68188D884140C05C108BF59C3F1A27F5A7D06328E1717C7B59A98015B8431261C34F05EAD35B7C408C98
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b.............................................h....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\pEPyA\MFPlat.DLL
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.576641063701175
                                                                Encrypted:false
                                                                SSDEEP:12288:mVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:7fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:4D31651F601785EAF47A2DF7A5D44267
                                                                SHA1:90A06F9253AC25DC67482A1F2D3B71C12C4A5917
                                                                SHA-256:7AE428CD9BBAC8C2A562D975D36CFF88208DB205C9A5F1BF081B5D7AD22FE4BB
                                                                SHA-512:47049EF459195EAE51DF6232ADA30CD7C40A92568F21CFEBCA4078231C1865D58917BC7F4DE28B9535C87220B607DF5B01A98D5B0C8F699443E43BA2D0A4C59C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\pEPyA\mfpmp.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):49688
                                                                Entropy (8bit):6.083384253651048
                                                                Encrypted:false
                                                                SSDEEP:768:vcqpeHOwVxW4zmjjJF686T/5Lel2fBetjEWI9Whu3H1PcSP:vcEoVxJodg/tfiEAhu3VPcSP
                                                                MD5:7C3D09D6DB5DB4A272FCF4C1BB3986BD
                                                                SHA1:F0C392891B6D73EADB20F669A29064910507E55E
                                                                SHA-256:E459FF6CBA8C93589B206C07BDCCD2E6C57766BE6BB4754F2FB1DEF9EF2E3BDE
                                                                SHA-512:6CFE325CD0A78D6ACC9473BA51069E234CB0F9A47F285A6204EE787902C77005491B41C301DD38602CC387329F214E700F9203E4ECE5077E58D30276821640E4
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0._.Q`..Q`..Q`..)...Q`..5c..Q`..5d..Q`..Qa..Q`..5a..Q`..5e..Q`..5n..Q`..5...Q`..5b..Q`.Rich.Q`.................PE..d...^.A..........."......R...V......P).........@....................................s.....`.......... ......................................h...........`................$..........`z..T...........................Pq..............`r......H...`....................text....Q.......R.................. ..`.rdata..T-...p.......V..............@..@.data...............................@....pdata..............................@..@.didat..0...........................@....rsrc...`...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\tiy3x\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1507328
                                                                Entropy (8bit):5.908335102849305
                                                                Encrypted:false
                                                                SSDEEP:12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1g:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:03459CA27218008A2DAFBFDAE2268861
                                                                SHA1:D31BFAF58897CB3EACC804C704969708AC369F32
                                                                SHA-256:3E676DE9818A5E127DB08FC15A6594EEF78A8019AEE85D91922E884D4ED661BE
                                                                SHA-512:C91700FF267F818BAAFBEA36C523C1DD66BCB1374780E8E1272427EFEED86037C99060D155B53CBD58B89C1480526CA2AE55CDE3DB71E0EE75544A1BC890C09F
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.#..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):39304
                                                                Entropy (8bit):6.292969415106569
                                                                Encrypted:false
                                                                SSDEEP:768:miVyKshA4p2nOCD6DjOxMtjIQfU7r5YdGiEh07tvNZRAER1PnX:QhlkOO74XU7i8iEG7HZR/PX
                                                                MD5:87AF711D6518C0CF91560D7C98301BBB
                                                                SHA1:81B7B8261A33D4D983DFDC47A716686118F582F9
                                                                SHA-256:1B6381E83463416D9BE6656A81978B2EBA21587BBDE18E8CFEFA1C0F45378AAC
                                                                SHA-512:E4534E5A205D44579AB60FAA5B19A2034C688D191ABB8670CD77696ABB000A949F5ABC996E0989FD74B4DFBE43C863FF66FDA9C623B045A771283B1955D28C39
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R|.PR|.PR|.P[..P~|.P=..QQ|.P=..Q@|.P=..QW|.P=..QC|.PR|.P.|.P=..QZ|.P=.dPS|.P=..QS|.PRichR|.P........PE..d....G.j.........."......<...>.......B.........@....................................SC............... .......................................p.......................v...#......h....j..T............................`...............a..`............................text...n:.......<.................. ..`.imrsiv......P...........................rdata..8....`... ...@..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..h............t..............@..B................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):4447
                                                                Entropy (8bit):5.4784075377314725
                                                                Encrypted:false
                                                                SSDEEP:48:JKKgU4Bzv1cL0zELQOzER45GgGKKgU4x3tseyhmyTsKbpQ4t2SIE:JJgqYzELhbGgGJgsbQKbp2Sx
                                                                MD5:2DCE33567875F640E362573FD1B0F774
                                                                SHA1:5FEBFBD4D394AD711E2BA6F7AA5F8EFA8767E9F5
                                                                SHA-256:1E6543A033B33D7DA75925DB458C0C1E4AD3822783D07BA89F1DCB232059493E
                                                                SHA-512:29504AF0F93BE599C4EB174BACC386B5E255A32172CF40412F831AF5191954CF66A9DDB310C573B94B1EC9F2A1E0FB9680016ACD309A49DBC9CEB7D656224CB8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: ........................................user.........................................user.....................RSA1.................#...yg..{m.T.q.>...h..0........U.D....k...i#x...k.>....* $M..DH.-M[.u..-'....Z.V.....Z6|1....!.'!...M3.@E..I. H...P.!.......................z..O.......-.[Rp8O.-Q....?....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....$S...V(....H.qP.9.&...j..F|.,R............ .....|.cl.....tK.1a...hS...$T6...z......P.x....O.....+...7_T\'..3..Q.....*.L>..f..].&Z. L.6....k.d.Z.`.M.u./0...G....r.(F..4y6...aI4..7oU.k...;.;.l.O.~D.E....:..F8.,....C..u..Nv8..|...."&..U.......@.l@[.F_.2..4S..;&GL].......%.......>}t....o-.y...w.gM.pN...n.*.Z.......M,DnA.k(...Qa.qo(....t...:H.Q.......4d.V. +..C.$.P.^rr.C>....D4....~v.{.....6_W.|Q.._X2..q..F...W...o..@.6.6X...)...`..#...%^.f7....z}Ms.Y@.N.z.......0........0..r.~.....O%%...........1.,z....@.Q...Z.j..^./..Z.s....yd!.[..U..~...%...5.=..8`U.P!.%y.xi.i=....\...n?.J.Yy{p.R.9.....*.#..

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Entropy (8bit):5.574688553617224
                                                                TrID:
                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                File name:P7n0h6OhYp.dll
                                                                File size:1220608
                                                                MD5:718a7d9b1fe55a72cfa586e869236df8
                                                                SHA1:5d870aeb7951ab6af0900ba837924f79e3716936
                                                                SHA256:d485423afb5929de201a0fee5476c8b6d7d1a1868b537d7730db9b3e67d6a222
                                                                SHA512:f07f61cee0c57c40ee9bce3682d10faa5987a317b3e06fcdf7da0e4a5bc6a42bb52008077fecf940e8237161587ff5f0fb2f022542f5715f7f0d339d56efe32a
                                                                SSDEEP:12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

                                                                File Icon

                                                                Icon Hash:74f0e4ecccdce0e4

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x140041070
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:6668be91e2c948b183827f040944057f

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                xor eax, eax
                                                                dec eax
                                                                add eax, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D82h], ecx
                                                                dec eax
                                                                lea ecx, dword ptr [FFFFECABh]
                                                                dec eax
                                                                mov dword ptr [00073D7Ch], edx
                                                                dec eax
                                                                add eax, ecx
                                                                dec esp
                                                                mov dword ptr [00073D92h], ecx
                                                                dec esp
                                                                mov dword ptr [00073DA3h], ebp
                                                                dec esp
                                                                mov dword ptr [00073D7Ch], eax
                                                                dec esp
                                                                mov dword ptr [00073D85h], edi
                                                                dec esp
                                                                mov dword ptr [00073D86h], esi
                                                                dec esp
                                                                mov dword ptr [00073D8Fh], esp
                                                                dec eax
                                                                mov ecx, eax
                                                                dec eax
                                                                sub ecx, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D89h], esi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007FC8D0B435FFh
                                                                dec eax
                                                                mov dword ptr [00073D45h], esp
                                                                dec eax
                                                                mov dword ptr [00073D36h], ebp
                                                                dec eax
                                                                mov dword ptr [00073D7Fh], ebx
                                                                dec eax
                                                                mov dword ptr [00073D70h], edi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007FC8D0B435DEh
                                                                jmp ecx
                                                                dec eax
                                                                add edi, ecx
                                                                dec eax
                                                                mov dword ptr [FFFFEC37h], ecx
                                                                dec eax
                                                                xor ecx, eax
                                                                jmp ecx
                                                                retn 0008h
                                                                ud2
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebx
                                                                dec eax
                                                                sub esp, 00000080h
                                                                mov eax, F957B016h
                                                                mov byte ptr [esp+7Fh], 00000037h
                                                                mov edx, dword ptr [esp+78h]
                                                                inc ecx
                                                                mov eax, edx
                                                                inc ecx
                                                                or eax, 5D262B0Ch
                                                                inc esp
                                                                mov dword ptr [esp+78h], eax
                                                                dec eax
                                                                mov dword ptr [eax+eax+00h], 00000000h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [LNK] VS2012 UPD4 build 61030
                                                                • [ASM] VS2013 UPD2 build 30501
                                                                • [ C ] VS2012 UPD2 build 60315
                                                                • [C++] VS2013 UPD4 build 31101
                                                                • [RES] VS2012 UPD3 build 60610
                                                                • [LNK] VS2017 v15.5.4 build 25834
                                                                • [ C ] VS2017 v15.5.4 build 25834
                                                                • [ASM] VS2010 build 30319
                                                                • [EXP] VS2015 UPD1 build 23506
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [RES] VS2012 UPD4 build 61030
                                                                • [LNK] VS2012 UPD2 build 60315
                                                                • [C++] VS2015 UPD1 build 23506
                                                                • [ C ] VS2013 UPD4 build 31101

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x1290100x8ee.xusvuv
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x420000x64fcb0x65000False0.702262047494data7.86510283498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wnx0x10e0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .weqy0x10f0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .yby0x1100000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ormx0x1120000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .dhclu0x1130000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .xmiul0x1140000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlwcxe0x1150000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .get0x1160000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .hzrd0x1170000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .qzu0x1190000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tbbd0x11a0000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .shoovi0x11b0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wbmgl0x11c0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .aobcn0x11d0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .xdno0x11e0000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ipsw0x1200000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .cqpqq0x1210000x5730x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .skzqoj0x1220000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nvjg0x1230000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .bbt0x1240000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wsg0x1250000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .vqdhza0x1260000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .mgf0x1270000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .xusvuv0x1290000x8fe0x1000False0.256591796875data3.73840094584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xc00a00x370dataEnglishUnited States
                                                                RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
                                                                SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
                                                                KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
                                                                GDI32.dllCreateBitmapIndirect, GetPolyFillMode
                                                                CRYPT32.dllCertGetCTLContextProperty
                                                                ADVAPI32.dllAddAccessDeniedObjectAce
                                                                SHLWAPI.dllChrCmpIW

                                                                Exports

                                                                NameOrdinalAddress
                                                                IsInteractiveUserSession10x14003458c
                                                                QueryActiveSession20x14002e730
                                                                QueryUserToken30x140010aa4
                                                                RegisterUsertokenForNoWinlogon40x14001a040
                                                                WTSCloseServer50x140002a60
                                                                WTSConnectSessionA60x14000fa78
                                                                WTSConnectSessionW70x14002a100
                                                                WTSCreateListenerA80x1400301c0
                                                                WTSCreateListenerW90x14001b488
                                                                WTSDisconnectSession100x140020b0c
                                                                WTSEnableChildSessions110x140038ecc
                                                                WTSEnumerateListenersA120x140026698
                                                                WTSEnumerateListenersW130x14001de24
                                                                WTSEnumerateProcessesA140x14003e8c0
                                                                WTSEnumerateProcessesExA150x14002da9c
                                                                WTSEnumerateProcessesExW160x140023780
                                                                WTSEnumerateProcessesW170x14000cdcc
                                                                WTSEnumerateServersA180x1400174a4
                                                                WTSEnumerateServersW190x14001c30c
                                                                WTSEnumerateSessionsA200x140011da4
                                                                WTSEnumerateSessionsExA210x1400016a8
                                                                WTSEnumerateSessionsExW220x14003a6ec
                                                                WTSEnumerateSessionsW230x1400023c0
                                                                WTSFreeMemory240x14003fd88
                                                                WTSFreeMemoryExA250x1400158ec
                                                                WTSFreeMemoryExW260x140009900
                                                                WTSGetChildSessionId270x14002759c
                                                                WTSGetListenerSecurityA280x140021a28
                                                                WTSGetListenerSecurityW290x140021da0
                                                                WTSIsChildSessionsEnabled300x14000e7ec
                                                                WTSLogoffSession310x1400388e0
                                                                WTSOpenServerA320x140004678
                                                                WTSOpenServerExA330x14003ee3c
                                                                WTSOpenServerExW340x14000ed44
                                                                WTSOpenServerW350x140026cc8
                                                                WTSQueryListenerConfigA360x140033350
                                                                WTSQueryListenerConfigW370x14000bffc
                                                                WTSQuerySessionInformationA380x140033c18
                                                                WTSQuerySessionInformationW390x140029aa0
                                                                WTSQueryUserConfigA400x140034e10
                                                                WTSQueryUserConfigW410x140032fac
                                                                WTSQueryUserToken420x140007c6c
                                                                WTSRegisterSessionNotification430x14003c8d4
                                                                WTSRegisterSessionNotificationEx440x14003e730
                                                                WTSSendMessageA450x14003c47c
                                                                WTSSendMessageW460x14002b7f4
                                                                WTSSetListenerSecurityA470x14003be28
                                                                WTSSetListenerSecurityW480x140032048
                                                                WTSSetRenderHint490x14000616c
                                                                WTSSetSessionInformationA500x14004054c
                                                                WTSSetSessionInformationW510x1400101a8
                                                                WTSSetUserConfigA520x14002ff30
                                                                WTSSetUserConfigW530x140030d18
                                                                WTSShutdownSystem540x140015c30
                                                                WTSStartRemoteControlSessionA550x1400314a8
                                                                WTSStartRemoteControlSessionW560x14003b458
                                                                WTSStopRemoteControlSession570x140040220
                                                                WTSTerminateProcess580x140010dd0
                                                                WTSUnRegisterSessionNotification590x140032ca0
                                                                WTSUnRegisterSessionNotificationEx600x14003ce70
                                                                WTSVirtualChannelClose610x140025520
                                                                WTSVirtualChannelOpen620x14000def8
                                                                WTSVirtualChannelOpenEx630x140033838
                                                                WTSVirtualChannelPurgeInput640x14003c7e8
                                                                WTSVirtualChannelPurgeOutput650x140022f60
                                                                WTSVirtualChannelQuery660x14002f1d8
                                                                WTSVirtualChannelRead670x14001799c
                                                                WTSVirtualChannelWrite680x1400082e4
                                                                WTSWaitSystemEvent690x14001e280

                                                                Version Infos

                                                                DescriptionData
                                                                LegalCopyright Microsoft Corporation. All rights reserv
                                                                InternalNamebitsp
                                                                FileVersion7.5.7600.16385 (win7_rtm.090713-
                                                                CompanyNameMicrosoft Corporati
                                                                ProductNameMicrosoft Windows Operating S
                                                                ProductVersion6.1.7600
                                                                FileDescriptionBackground Intellig
                                                                OriginalFilenamekbdy
                                                                Translation0x0409 0x04b0

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 28, 2021 17:45:02.527251959 CEST4955753192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:02.548530102 CEST53495578.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:19.403928995 CEST6173353192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:19.428639889 CEST53617338.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:33.217932940 CEST6544753192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:33.245064974 CEST53654478.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:55.791735888 CEST5244153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:55.811032057 CEST53524418.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:56.565057039 CEST6217653192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:56.593101025 CEST53621768.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:59.098834038 CEST5959653192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:59.118329048 CEST53595968.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:45:59.889066935 CEST6529653192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:45:59.911380053 CEST53652968.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:46:05.892374992 CEST6318353192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:46:05.911709070 CEST53631838.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:46:13.102817059 CEST6015153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:46:13.138828039 CEST53601518.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:46:28.083318949 CEST5696953192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:46:28.103857994 CEST53569698.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:46:37.870317936 CEST5516153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:46:37.897907019 CEST53551618.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:46:45.598856926 CEST5475753192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:46:45.617065907 CEST53547578.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:03.241151094 CEST4999253192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:03.267127991 CEST53499928.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:28.679490089 CEST6007553192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:28.711180925 CEST53600758.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:36.594042063 CEST5501653192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:36.629021883 CEST53550168.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:38.023771048 CEST6434553192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:38.043387890 CEST53643458.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:38.828206062 CEST5712853192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:38.849247932 CEST53571288.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:39.319653034 CEST5479153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:39.340262890 CEST53547918.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:39.821130991 CEST5046353192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:39.840998888 CEST53504638.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:40.191792965 CEST5039453192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:40.209240913 CEST53503948.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:40.586976051 CEST5853053192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:40.606645107 CEST53585308.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:41.286912918 CEST5381353192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:41.319047928 CEST53538138.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:41.872729063 CEST6373253192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:41.892647982 CEST53637328.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:42.204859018 CEST5734453192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:42.225611925 CEST53573448.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:47:57.294982910 CEST5445053192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:47:57.330220938 CEST53544508.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:48:27.749927998 CEST5926153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:48:27.769031048 CEST53592618.8.8.8192.168.2.5
                                                                Sep 28, 2021 17:49:10.458955050 CEST5715153192.168.2.58.8.8.8
                                                                Sep 28, 2021 17:49:10.478138924 CEST53571518.8.8.8192.168.2.5

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: loaddll64.exe PID: 5036 Parent PID: 6088

                                                                General

                                                                Start time:17:45:08
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\loaddll64.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:loaddll64.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll'
                                                                Imagebase:0x7ff705830000
                                                                File size:1136128 bytes
                                                                MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.267714415.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: cmd.exe PID: 644 Parent PID: 5036

                                                                General

                                                                Start time:17:45:08
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
                                                                Imagebase:0x7ff7eef80000
                                                                File size:273920 bytes
                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 3240 Parent PID: 5036

                                                                General

                                                                Start time:17:45:08
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,IsInteractiveUserSession
                                                                Imagebase:0x7ff6c6680000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.324777282.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 5044 Parent PID: 644

                                                                General

                                                                Start time:17:45:09
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe 'C:\Users\user\Desktop\P7n0h6OhYp.dll',#1
                                                                Imagebase:0x7ff6c6680000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.247365585.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: explorer.exe PID: 3472 Parent PID: 3240

                                                                General

                                                                Start time:17:45:10
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Explorer.EXE
                                                                Imagebase:0x7ff693d90000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 5816 Parent PID: 5036

                                                                General

                                                                Start time:17:45:12
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryActiveSession
                                                                Imagebase:0x7ff797770000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.254598295.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 4632 Parent PID: 5036

                                                                General

                                                                Start time:17:45:15
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\P7n0h6OhYp.dll,QueryUserToken
                                                                Imagebase:0x7ff6c6680000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000000A.00000002.261507768.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: RdpSa.exe PID: 716 Parent PID: 3472

                                                                General

                                                                Start time:17:45:48
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\RdpSa.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\RdpSa.exe
                                                                Imagebase:0x7ff7f3240000
                                                                File size:43008 bytes
                                                                MD5 hash:0795B6F790F8E52D55F39E593E9C5BBA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: RdpSa.exe PID: 2564 Parent PID: 3472

                                                                General

                                                                Start time:17:45:49
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\1wgM9CYx\RdpSa.exe
                                                                Imagebase:0x7ff73a1b0000
                                                                File size:43008 bytes
                                                                MD5 hash:0795B6F790F8E52D55F39E593E9C5BBA
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.354057356.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 0%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs

                                                                Analysis Process: dxgiadaptercache.exe PID: 6132 Parent PID: 3472

                                                                General

                                                                Start time:17:46:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\dxgiadaptercache.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dxgiadaptercache.exe
                                                                Imagebase:0x7ff6ca3d0000
                                                                File size:45568 bytes
                                                                MD5 hash:3E73262483D4FB1BB88BA1B2B9BB3D5A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: dxgiadaptercache.exe PID: 1308 Parent PID: 3472

                                                                General

                                                                Start time:17:46:01
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\aDD0Ov\dxgiadaptercache.exe
                                                                Imagebase:0x7ff64dc50000
                                                                File size:45568 bytes
                                                                MD5 hash:3E73262483D4FB1BB88BA1B2B9BB3D5A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.383288122.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: GamePanel.exe PID: 668 Parent PID: 3472

                                                                General

                                                                Start time:17:46:14
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\GamePanel.exe
                                                                Imagebase:0x7ff74c0a0000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: GamePanel.exe PID: 4140 Parent PID: 3472

                                                                General

                                                                Start time:17:46:16
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\Rn1XW4tG\GamePanel.exe
                                                                Imagebase:0x7ff7a3570000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.410742595.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: SystemSettingsRemoveDevice.exe PID: 1036 Parent PID: 3472

                                                                General

                                                                Start time:17:46:27
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\SystemSettingsRemoveDevice.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\SystemSettingsRemoveDevice.exe
                                                                Imagebase:0x7ff6f45e0000
                                                                File size:39304 bytes
                                                                MD5 hash:87AF711D6518C0CF91560D7C98301BBB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: SystemSettingsRemoveDevice.exe PID: 5192 Parent PID: 3472

                                                                General

                                                                Start time:17:46:34
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\tiy3x\SystemSettingsRemoveDevice.exe
                                                                Imagebase:0x7ff6c5e60000
                                                                File size:39304 bytes
                                                                MD5 hash:87AF711D6518C0CF91560D7C98301BBB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.449151118.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: lpksetup.exe PID: 4976 Parent PID: 3472

                                                                General

                                                                Start time:17:46:45
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\lpksetup.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\lpksetup.exe
                                                                Imagebase:0x7ff6cdd60000
                                                                File size:732160 bytes
                                                                MD5 hash:8E2C63E761A22724382338F349C55014
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: lpksetup.exe PID: 4968 Parent PID: 3472

                                                                General

                                                                Start time:17:46:46
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\A7mgbJ\lpksetup.exe
                                                                Imagebase:0x7ff75ca20000
                                                                File size:732160 bytes
                                                                MD5 hash:8E2C63E761A22724382338F349C55014
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.476637367.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 0%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs

                                                                Analysis Process: Narrator.exe PID: 5480 Parent PID: 3472

                                                                General

                                                                Start time:17:46:58
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\Narrator.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\Narrator.exe
                                                                Imagebase:0x7ff7058a0000
                                                                File size:349696 bytes
                                                                MD5 hash:56036993FB96C42F30C443A11BD56F4D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: Narrator.exe PID: 5616 Parent PID: 3472

                                                                General

                                                                Start time:17:46:59
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\ocY6\Narrator.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\ocY6\Narrator.exe
                                                                Imagebase:0x7ff69a2a0000
                                                                File size:349696 bytes
                                                                MD5 hash:56036993FB96C42F30C443A11BD56F4D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: WindowsActionDialog.exe PID: 5040 Parent PID: 3472

                                                                General

                                                                Start time:17:47:00
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\WindowsActionDialog.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WindowsActionDialog.exe
                                                                Imagebase:0x7ff761c50000
                                                                File size:59392 bytes
                                                                MD5 hash:991359EE1E9C1958EB5D0F7314774123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: WindowsActionDialog.exe PID: 1280 Parent PID: 3472

                                                                General

                                                                Start time:17:47:04
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\JrFH9qPBX\WindowsActionDialog.exe
                                                                Imagebase:0x7ff639950000
                                                                File size:59392 bytes
                                                                MD5 hash:991359EE1E9C1958EB5D0F7314774123
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000027.00000002.514121758.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: sessionmsg.exe PID: 1112 Parent PID: 3472

                                                                General

                                                                Start time:17:47:15
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\sessionmsg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\sessionmsg.exe
                                                                Imagebase:0x7ff650f20000
                                                                File size:74440 bytes
                                                                MD5 hash:1F7CEA0216DE48B877C16F95C7DA1F0F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: sessionmsg.exe PID: 1268 Parent PID: 3472

                                                                General

                                                                Start time:17:47:16
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\NNw\sessionmsg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\NNw\sessionmsg.exe
                                                                Imagebase:0x7ff7635c0000
                                                                File size:74440 bytes
                                                                MD5 hash:1F7CEA0216DE48B877C16F95C7DA1F0F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.543009513.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >