Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report K7dGM0P0yz

Overview

General Information

Sample Name:K7dGM0P0yz (renamed file extension from none to dll)
Analysis ID:492437
MD5:2955d4759afce09a41c1df5b108f0287
SHA1:11e277c3c987b4119909dd099a5f901e074698e3
SHA256:97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Contains functionality to get notified if a device is plugged in / out
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7076 cmdline: loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 7068 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7144 cmdline: rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • bdechangepin.exe (PID: 6036 cmdline: C:\Windows\system32\bdechangepin.exe MD5: 013D00A367D851B0EC869F209337754E)
        • bdechangepin.exe (PID: 6932 cmdline: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe MD5: 013D00A367D851B0EC869F209337754E)
        • rdpinit.exe (PID: 4824 cmdline: C:\Windows\system32\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • rdpinit.exe (PID: 6476 cmdline: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe MD5: EF7C9CF6EA5B8B9C5C8320990714C35D)
        • wlrmdr.exe (PID: 1088 cmdline: C:\Windows\system32\wlrmdr.exe MD5: 4849E997AF1274DD145672A2F9BC0827)
        • wlrmdr.exe (PID: 5984 cmdline: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe MD5: 4849E997AF1274DD145672A2F9BC0827)
        • rdpclip.exe (PID: 1332 cmdline: C:\Windows\system32\rdpclip.exe MD5: 1690E3004F712C75A2C9FF6BCDE49461)
        • rdpclip.exe (PID: 2820 cmdline: C:\Users\user\AppData\Local\I0o\rdpclip.exe MD5: 1690E3004F712C75A2C9FF6BCDE49461)
        • AgentService.exe (PID: 2328 cmdline: C:\Windows\system32\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • AgentService.exe (PID: 1808 cmdline: C:\Users\user\AppData\Local\eF0\AgentService.exe MD5: F7E36C20DB953DFF4FDDB817904C0E48)
        • dccw.exe (PID: 6372 cmdline: C:\Windows\system32\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)
        • dccw.exe (PID: 3864 cmdline: C:\Users\user\AppData\Local\Fox\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)
        • dpapimig.exe (PID: 6960 cmdline: C:\Windows\system32\dpapimig.exe MD5: EE7DB7B615B48D8F9F08FAE70CAF46D7)
        • dpapimig.exe (PID: 404 cmdline: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe MD5: EE7DB7B615B48D8F9F08FAE70CAF46D7)
        • GamePanel.exe (PID: 5180 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • GamePanel.exe (PID: 4488 cmdline: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • RdpSaUacHelper.exe (PID: 4768 cmdline: C:\Windows\system32\RdpSaUacHelper.exe MD5: DA88A7B872B1A52F2465D12CFBA4EDAB)
        • RdpSaUacHelper.exe (PID: 5920 cmdline: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe MD5: DA88A7B872B1A52F2465D12CFBA4EDAB)
        • osk.exe (PID: 960 cmdline: C:\Windows\system32\osk.exe MD5: 88B09DE7D0DF1D2E9BCA9BAE1346CB23)
    • rundll32.exe (PID: 5516 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6800 cmdline: rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000027.00000002.1020058745.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 9 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: K7dGM0P0yz.dllVirustotal: Detection: 62%Perma Link
            Source: K7dGM0P0yz.dllMetadefender: Detection: 65%Perma Link
            Source: K7dGM0P0yz.dllReversingLabs: Detection: 77%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: K7dGM0P0yz.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\Fox\dxva2.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\I0o\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8534 CryptDestroyHash,CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C874C CryptHashData,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C88F8 CryptHashData,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8598 CryptAcquireContextW,CryptCreateHash,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C8610 CryptGetHashParam,memset,
            Source: K7dGM0P0yz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958603C GetModuleHandleExW,memset,RegisterClassW,CreateWindowExW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,memset,RegisterDeviceNotificationW,GetLastError,UnregisterDeviceNotification,UnregisterDeviceNotification,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree,
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/ifg0es
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imfx4k
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imrx2o
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/v5do45
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/w5ryqn
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
            Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://aka.ms/wk9ocd
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/%ws
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
            Source: GamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/broadcasts/current
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%d
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%ws
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/chats/%.0f
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/users/current
            Source: GamePanel.exeString found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
            Source: GamePanel.exeString found in binary or memory: https://www.xboxlive.com
            Source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpString found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526DA68 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3045E0 UiaReturnRawElementProvider,GetRawInputData,GetMessageExtraInfo,GetMessageExtraInfo,SendMessageW,SendMessageW,MulDiv,#413,Concurrency::cancel_current_task,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.1020058745.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.681792937.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.965505490.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.931145989.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.847453673.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.666466905.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.786920888.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.749176319.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.992899569.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636983364
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636982264
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636986640
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D1780
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1CD87C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE12C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1FA908
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F8E00
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA4
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE688
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EFC6C
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1DFCF0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F4CD0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F1978
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1FB1C0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F8A40
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F7ACC
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F9B14
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3778
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F15EC
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2BE8
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F1B64
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CBA80
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A71F4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95889C0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C29A8
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CAD10
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C24E4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B2380
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CD360
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95AC3AC
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95856C4
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9583ED0
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A6DAC
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9597070
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958603C
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BA018
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9589F78
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A5F68
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C473C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65CC30
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CACE8
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6DDBA4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68A974
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6829F4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6D29E0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B679110
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B64E0F4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CA014
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AEE7C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B681E34
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6E8F04
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B664EF0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65BEE4
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6CA450
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65E444
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B678500
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6454E0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6764D0
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6504AC
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B690498
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AC278
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B696158
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B69115E
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68B12C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6DE834
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6AD6FC
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6896D8
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65858C
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B677580
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526124C
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D5262C3C
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526DA68
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52680F0
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D5262384
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52635C4
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D1F08
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F0C44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A284CDC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29ED00
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CCCFC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B6948
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FA998
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C89F4
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CAFF0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FD010
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EB124
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EED90
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E4DD0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FEE40
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B8F14
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2943B8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E21AC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2A21AC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2E4198
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A28E224
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2AA250
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EC2D8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26A7EC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3147E5
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26E7FC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A279AF0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C48C0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29E560
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B253C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A3045E0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CA5D0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2C0620
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D0644
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A300728
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30DB6C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29DC44
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30FC59
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EBD14
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F7A20
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D7A00
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D1AD4
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FBF88
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BFEC
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26A058
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A263D38
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CBE58
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D5F08
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F137C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A307460
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CB454
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2B9484
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FB14C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2F5190
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2DB26C
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A293260
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2972C8
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30D7A2
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2FD788
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A26B928
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2EF920
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2CD6B0
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A264D68 appears 192 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A2762E4 appears 62 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A266894 appears 49 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A306AD8 appears 230 times
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: String function: 00007FF66A2632F8 appears 394 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B6459E0 appears 153 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B685CE8 appears 64 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B643F1C appears 39 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: String function: 00007FF71B645BC4 appears 55 times
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: String function: 00007FF636981400 appears 70 times
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: String function: 00007FF7B95867D8 appears 58 times
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6493A8 memset,CreateProcessAsUserW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,swprintf_s,??_V@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E9590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2E0C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,LocalAlloc,GetLastError,LocalFree,RtlNtStatusToDosError,RtlCompareUnicodeString,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F2F58 memset,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,CloseHandle,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584E58 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,memset,memcpy_s,CloseHandle,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95848B8 memset,QueryDosDeviceW,RtlInitUnicodeString,NtCreateFile,NtClose,DefineDosDeviceW,GetLastError,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A2D6C44 RtlInitUnicodeString,NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B9584C10: RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CryptBinaryToStringW,CryptBinaryToStringW,NtClose,
            Source: RdpSaUacHelper.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdechangepin.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wlrmdr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dccw.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dpapimig.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: osk.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wextract.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: dwmapi.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: K7dGM0P0yz.dllStatic PE information: Number of sections : 36 > 10
            Source: DUI70.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: WINSTA.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll1.5.drStatic PE information: Number of sections : 37 > 10
            Source: dwmapi.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: dxva2.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: dwmapi.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll2.5.drStatic PE information: Number of sections : 37 > 10
            Source: DUI70.dll0.5.drStatic PE information: Number of sections : 37 > 10
            Source: VERSION.dll.5.drStatic PE information: Number of sections : 37 > 10
            Source: K7dGM0P0yz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dxva2.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINSTA.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll2.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: K7dGM0P0yz.dllVirustotal: Detection: 62%
            Source: K7dGM0P0yz.dllMetadefender: Detection: 65%
            Source: K7dGM0P0yz.dllReversingLabs: Detection: 77%
            Source: K7dGM0P0yz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdechangepin.exe C:\Windows\system32\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exe C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wlrmdr.exe C:\Windows\system32\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exe C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpclip.exe C:\Windows\system32\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\I0o\rdpclip.exe C:\Users\user\AppData\Local\I0o\rdpclip.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eF0\AgentService.exe C:\Users\user\AppData\Local\eF0\AgentService.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fox\dccw.exe C:\Users\user\AppData\Local\Fox\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dpapimig.exe C:\Windows\system32\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\osk.exe C:\Windows\system32\osk.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B65943C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal96.troj.evad.winDLL@54/25@0/0
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D2FB4 CoCreateInstance,RtlPublishWnfStateData,RtlPublishWnfStateData,RtlPublishWnfStateData,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636983364 InitializeCriticalSection,GetCommandLineW,CommandLineToArgvW,GetLastError,iswalpha,towupper,EnterCriticalSection,FormatMessageW,GetModuleHandleW,#344,LeaveCriticalSection,LeaveCriticalSection,CoInitialize,InitProcessPriv,InitThread,FormatMessageW,GetLastError,CreateMutexW,GetLastError,CloseHandle,FindWindowW,SetForegroundWindow,LocalFree,LocalFree,UnInitThread,UnInitProcessPriv,CoUninitialize,CloseHandle,DeleteCriticalSection,GetSystemMetrics,GetSystemMetrics,GetModuleHandleW,LoadImageW,?Create@NativeHWNDHost@DirectUI@@SAJPEBGPEAUHWND__@@PEAUHICON__@@HHHHHHIPEAPEAV12@@Z,EnterCriticalSection,LeaveCriticalSection,?EndDefer@Element@DirectUI@@QEAAXK@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?EndDefer@Element@DirectUI@@QEAAXK@Z,?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z,?ShowWindow@NativeHWNDHost@DirectUI@@QEAAXH@Z,StartMessagePump,
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B64345C StartServiceCtrlDispatcherW,GetLastError,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{832029fd-8b48-c9e2-536d-2d493fe88741}
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeMutant created: \Sessions\1\BaseNamedObjects\{bcabdb27-9189-fb60-e76f-c1e63267ec97}
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D52635C4 LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,memset,GetModuleFileNameW,GetModuleHandleW,EnterCriticalSection,memcpy_s,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,
            Source: rdpinit.exeString found in binary or memory: Re-Start RdpShell failed
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: K7dGM0P0yz.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: K7dGM0P0yz.dllStatic file information: File size 1224704 > 1048576
            Source: K7dGM0P0yz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: dccw.pdbGCTL source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dccw.pdb source: dccw.exe, 00000020.00000000.909233462.00007FF7D5271000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdbGCTL source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdb source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdbGCTL source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: bdechangepin.pdbGCTL source: bdechangepin.exe, 00000010.00000002.788373401.00007FF636989000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdbGCTL source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: Binary string: wlrmdr.pdb source: wlrmdr.exe, 00000018.00000000.825586991.00007FF79A6F6000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdbGCTL source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: rdpclip.pdb source: rdpclip.exe, 0000001B.00000002.877262462.00007FF7B95D1000.00000002.00020000.sdmp
            Source: Binary string: AgentService.pdb source: AgentService.exe, 0000001E.00000000.880768467.00007FF71B701000.00000002.00020000.sdmp
            Source: Binary string: dpapimig.pdb source: dpapimig.exe, 00000022.00000002.967632855.00007FF6312D4000.00000002.00020000.sdmp
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1D4162 push rcx; ret
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958CD52 push rcx; ret
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B68FF70 pushfq ; retf
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6884C0 push rsp; retf
            Source: K7dGM0P0yz.dllStatic PE information: section name: .qkm
            Source: K7dGM0P0yz.dllStatic PE information: section name: .cvjb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tlmkv
            Source: K7dGM0P0yz.dllStatic PE information: section name: .wucsxe
            Source: K7dGM0P0yz.dllStatic PE information: section name: .wnx
            Source: K7dGM0P0yz.dllStatic PE information: section name: .weqy
            Source: K7dGM0P0yz.dllStatic PE information: section name: .yby
            Source: K7dGM0P0yz.dllStatic PE information: section name: .ormx
            Source: K7dGM0P0yz.dllStatic PE information: section name: .dhclu
            Source: K7dGM0P0yz.dllStatic PE information: section name: .xmiul
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tlwcxe
            Source: K7dGM0P0yz.dllStatic PE information: section name: .get
            Source: K7dGM0P0yz.dllStatic PE information: section name: .hzrd
            Source: K7dGM0P0yz.dllStatic PE information: section name: .qzu
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nhglos
            Source: K7dGM0P0yz.dllStatic PE information: section name: .itzo
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nmsaom
            Source: K7dGM0P0yz.dllStatic PE information: section name: .mas
            Source: K7dGM0P0yz.dllStatic PE information: section name: .ldov
            Source: K7dGM0P0yz.dllStatic PE information: section name: .bwslm
            Source: K7dGM0P0yz.dllStatic PE information: section name: .gfceb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .nojmwb
            Source: K7dGM0P0yz.dllStatic PE information: section name: .naznun
            Source: K7dGM0P0yz.dllStatic PE information: section name: .iyfv
            Source: K7dGM0P0yz.dllStatic PE information: section name: .iqae
            Source: K7dGM0P0yz.dllStatic PE information: section name: .zco
            Source: K7dGM0P0yz.dllStatic PE information: section name: .kqpcjh
            Source: K7dGM0P0yz.dllStatic PE information: section name: .unbzj
            Source: K7dGM0P0yz.dllStatic PE information: section name: .tcuit
            Source: K7dGM0P0yz.dllStatic PE information: section name: .sow
            Source: rdpinit.exe.5.drStatic PE information: section name: .imrsiv
            Source: wlrmdr.exe.5.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.5.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.5.drStatic PE information: section name: .didat
            Source: systemreset.exe.5.drStatic PE information: section name: .imrsiv
            Source: DUI70.dll.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll.5.drStatic PE information: section name: .yby
            Source: DUI70.dll.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll.5.drStatic PE information: section name: .get
            Source: DUI70.dll.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll.5.drStatic PE information: section name: .mas
            Source: DUI70.dll.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll.5.drStatic PE information: section name: .zco
            Source: DUI70.dll.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll.5.drStatic PE information: section name: .sow
            Source: DUI70.dll.5.drStatic PE information: section name: .njy
            Source: dwmapi.dll.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll.5.drStatic PE information: section name: .get
            Source: dwmapi.dll.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll.5.drStatic PE information: section name: .wsh
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll0.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll0.5.drStatic PE information: section name: .yby
            Source: DUI70.dll0.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll0.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll0.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .get
            Source: DUI70.dll0.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll0.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll0.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll0.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll0.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll0.5.drStatic PE information: section name: .mas
            Source: DUI70.dll0.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll0.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll0.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll0.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll0.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll0.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll0.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll0.5.drStatic PE information: section name: .zco
            Source: DUI70.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll0.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll0.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll0.5.drStatic PE information: section name: .sow
            Source: DUI70.dll0.5.drStatic PE information: section name: .jzccua
            Source: dwmapi.dll0.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll0.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll0.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll0.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll0.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll0.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll0.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll0.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll0.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll0.5.drStatic PE information: section name: .get
            Source: dwmapi.dll0.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll0.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll0.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll0.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll0.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll0.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll0.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll0.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll0.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll0.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll0.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll0.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll0.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll0.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll0.5.drStatic PE information: section name: .lkfqq
            Source: VERSION.dll.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll.5.drStatic PE information: section name: .yby
            Source: VERSION.dll.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll.5.drStatic PE information: section name: .get
            Source: VERSION.dll.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll.5.drStatic PE information: section name: .mas
            Source: VERSION.dll.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll.5.drStatic PE information: section name: .zco
            Source: VERSION.dll.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll.5.drStatic PE information: section name: .sow
            Source: VERSION.dll.5.drStatic PE information: section name: .dcm
            Source: dxva2.dll.5.drStatic PE information: section name: .qkm
            Source: dxva2.dll.5.drStatic PE information: section name: .cvjb
            Source: dxva2.dll.5.drStatic PE information: section name: .tlmkv
            Source: dxva2.dll.5.drStatic PE information: section name: .wucsxe
            Source: dxva2.dll.5.drStatic PE information: section name: .wnx
            Source: dxva2.dll.5.drStatic PE information: section name: .weqy
            Source: dxva2.dll.5.drStatic PE information: section name: .yby
            Source: dxva2.dll.5.drStatic PE information: section name: .ormx
            Source: dxva2.dll.5.drStatic PE information: section name: .dhclu
            Source: dxva2.dll.5.drStatic PE information: section name: .xmiul
            Source: dxva2.dll.5.drStatic PE information: section name: .tlwcxe
            Source: dxva2.dll.5.drStatic PE information: section name: .get
            Source: dxva2.dll.5.drStatic PE information: section name: .hzrd
            Source: dxva2.dll.5.drStatic PE information: section name: .qzu
            Source: dxva2.dll.5.drStatic PE information: section name: .nhglos
            Source: dxva2.dll.5.drStatic PE information: section name: .itzo
            Source: dxva2.dll.5.drStatic PE information: section name: .nmsaom
            Source: dxva2.dll.5.drStatic PE information: section name: .mas
            Source: dxva2.dll.5.drStatic PE information: section name: .ldov
            Source: dxva2.dll.5.drStatic PE information: section name: .bwslm
            Source: dxva2.dll.5.drStatic PE information: section name: .gfceb
            Source: dxva2.dll.5.drStatic PE information: section name: .nojmwb
            Source: dxva2.dll.5.drStatic PE information: section name: .naznun
            Source: dxva2.dll.5.drStatic PE information: section name: .iyfv
            Source: dxva2.dll.5.drStatic PE information: section name: .iqae
            Source: dxva2.dll.5.drStatic PE information: section name: .zco
            Source: dxva2.dll.5.drStatic PE information: section name: .kqpcjh
            Source: dxva2.dll.5.drStatic PE information: section name: .unbzj
            Source: dxva2.dll.5.drStatic PE information: section name: .tcuit
            Source: dxva2.dll.5.drStatic PE information: section name: .sow
            Source: dxva2.dll.5.drStatic PE information: section name: .znragi
            Source: DUI70.dll1.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll1.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll1.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll1.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll1.5.drStatic PE information: section name: .yby
            Source: DUI70.dll1.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll1.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll1.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .get
            Source: DUI70.dll1.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll1.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll1.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll1.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll1.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll1.5.drStatic PE information: section name: .mas
            Source: DUI70.dll1.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll1.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll1.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll1.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll1.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll1.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll1.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll1.5.drStatic PE information: section name: .zco
            Source: DUI70.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll1.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll1.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll1.5.drStatic PE information: section name: .sow
            Source: DUI70.dll1.5.drStatic PE information: section name: .kdatc
            Source: dwmapi.dll1.5.drStatic PE information: section name: .qkm
            Source: dwmapi.dll1.5.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll1.5.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll1.5.drStatic PE information: section name: .wnx
            Source: dwmapi.dll1.5.drStatic PE information: section name: .weqy
            Source: dwmapi.dll1.5.drStatic PE information: section name: .yby
            Source: dwmapi.dll1.5.drStatic PE information: section name: .ormx
            Source: dwmapi.dll1.5.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll1.5.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll1.5.drStatic PE information: section name: .get
            Source: dwmapi.dll1.5.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll1.5.drStatic PE information: section name: .qzu
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nhglos
            Source: dwmapi.dll1.5.drStatic PE information: section name: .itzo
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nmsaom
            Source: dwmapi.dll1.5.drStatic PE information: section name: .mas
            Source: dwmapi.dll1.5.drStatic PE information: section name: .ldov
            Source: dwmapi.dll1.5.drStatic PE information: section name: .bwslm
            Source: dwmapi.dll1.5.drStatic PE information: section name: .gfceb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .nojmwb
            Source: dwmapi.dll1.5.drStatic PE information: section name: .naznun
            Source: dwmapi.dll1.5.drStatic PE information: section name: .iyfv
            Source: dwmapi.dll1.5.drStatic PE information: section name: .iqae
            Source: dwmapi.dll1.5.drStatic PE information: section name: .zco
            Source: dwmapi.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: dwmapi.dll1.5.drStatic PE information: section name: .unbzj
            Source: dwmapi.dll1.5.drStatic PE information: section name: .tcuit
            Source: dwmapi.dll1.5.drStatic PE information: section name: .sow
            Source: dwmapi.dll1.5.drStatic PE information: section name: .kum
            Source: WINSTA.dll.5.drStatic PE information: section name: .qkm
            Source: WINSTA.dll.5.drStatic PE information: section name: .cvjb
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlmkv
            Source: WINSTA.dll.5.drStatic PE information: section name: .wucsxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .wnx
            Source: WINSTA.dll.5.drStatic PE information: section name: .weqy
            Source: WINSTA.dll.5.drStatic PE information: section name: .yby
            Source: WINSTA.dll.5.drStatic PE information: section name: .ormx
            Source: WINSTA.dll.5.drStatic PE information: section name: .dhclu
            Source: WINSTA.dll.5.drStatic PE information: section name: .xmiul
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlwcxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .get
            Source: WINSTA.dll.5.drStatic PE information: section name: .hzrd
            Source: WINSTA.dll.5.drStatic PE information: section name: .qzu
            Source: WINSTA.dll.5.drStatic PE information: section name: .nhglos
            Source: WINSTA.dll.5.drStatic PE information: section name: .itzo
            Source: WINSTA.dll.5.drStatic PE information: section name: .nmsaom
            Source: WINSTA.dll.5.drStatic PE information: section name: .mas
            Source: WINSTA.dll.5.drStatic PE information: section name: .ldov
            Source: WINSTA.dll.5.drStatic PE information: section name: .bwslm
            Source: WINSTA.dll.5.drStatic PE information: section name: .gfceb
            Source: WINSTA.dll.5.drStatic PE information: section name: .nojmwb
            Source: WINSTA.dll.5.drStatic PE information: section name: .naznun
            Source: WINSTA.dll.5.drStatic PE information: section name: .iyfv
            Source: WINSTA.dll.5.drStatic PE information: section name: .iqae
            Source: WINSTA.dll.5.drStatic PE information: section name: .zco
            Source: WINSTA.dll.5.drStatic PE information: section name: .kqpcjh
            Source: WINSTA.dll.5.drStatic PE information: section name: .unbzj
            Source: WINSTA.dll.5.drStatic PE information: section name: .tcuit
            Source: WINSTA.dll.5.drStatic PE information: section name: .sow
            Source: WINSTA.dll.5.drStatic PE information: section name: .ykoawy
            Source: DUI70.dll2.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll2.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll2.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll2.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll2.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll2.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll2.5.drStatic PE information: section name: .yby
            Source: DUI70.dll2.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll2.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll2.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll2.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll2.5.drStatic PE information: section name: .get
            Source: DUI70.dll2.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll2.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll2.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll2.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll2.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll2.5.drStatic PE information: section name: .mas
            Source: DUI70.dll2.5.drStatic PE information: section name: .ldov
            Source: DUI70.dll2.5.drStatic PE information: section name: .bwslm
            Source: DUI70.dll2.5.drStatic PE information: section name: .gfceb
            Source: DUI70.dll2.5.drStatic PE information: section name: .nojmwb
            Source: DUI70.dll2.5.drStatic PE information: section name: .naznun
            Source: DUI70.dll2.5.drStatic PE information: section name: .iyfv
            Source: DUI70.dll2.5.drStatic PE information: section name: .iqae
            Source: DUI70.dll2.5.drStatic PE information: section name: .zco
            Source: DUI70.dll2.5.drStatic PE information: section name: .kqpcjh
            Source: DUI70.dll2.5.drStatic PE information: section name: .unbzj
            Source: DUI70.dll2.5.drStatic PE information: section name: .tcuit
            Source: DUI70.dll2.5.drStatic PE information: section name: .sow
            Source: DUI70.dll2.5.drStatic PE information: section name: .eavhk
            Source: VERSION.dll0.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll0.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll0.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll0.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll0.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll0.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll0.5.drStatic PE information: section name: .yby
            Source: VERSION.dll0.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll0.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll0.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll0.5.drStatic PE information: section name: .get
            Source: VERSION.dll0.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll0.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll0.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll0.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll0.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll0.5.drStatic PE information: section name: .mas
            Source: VERSION.dll0.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll0.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll0.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll0.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll0.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll0.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll0.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll0.5.drStatic PE information: section name: .zco
            Source: VERSION.dll0.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll0.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll0.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll0.5.drStatic PE information: section name: .sow
            Source: VERSION.dll0.5.drStatic PE information: section name: .fwy
            Source: VERSION.dll1.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll1.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll1.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll1.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll1.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll1.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll1.5.drStatic PE information: section name: .yby
            Source: VERSION.dll1.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll1.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll1.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll1.5.drStatic PE information: section name: .get
            Source: VERSION.dll1.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll1.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll1.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll1.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll1.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll1.5.drStatic PE information: section name: .mas
            Source: VERSION.dll1.5.drStatic PE information: section name: .ldov
            Source: VERSION.dll1.5.drStatic PE information: section name: .bwslm
            Source: VERSION.dll1.5.drStatic PE information: section name: .gfceb
            Source: VERSION.dll1.5.drStatic PE information: section name: .nojmwb
            Source: VERSION.dll1.5.drStatic PE information: section name: .naznun
            Source: VERSION.dll1.5.drStatic PE information: section name: .iyfv
            Source: VERSION.dll1.5.drStatic PE information: section name: .iqae
            Source: VERSION.dll1.5.drStatic PE information: section name: .zco
            Source: VERSION.dll1.5.drStatic PE information: section name: .kqpcjh
            Source: VERSION.dll1.5.drStatic PE information: section name: .unbzj
            Source: VERSION.dll1.5.drStatic PE information: section name: .tcuit
            Source: VERSION.dll1.5.drStatic PE information: section name: .sow
            Source: VERSION.dll1.5.drStatic PE information: section name: .varqbp
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: dwmapi.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12e466
            Source: K7dGM0P0yz.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x13a6c7
            Source: DUI70.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1731b6
            Source: WINSTA.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x138380
            Source: VERSION.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135f10
            Source: DUI70.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17ceb6
            Source: dwmapi.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135098
            Source: dxva2.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x131391
            Source: VERSION.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13830e
            Source: dwmapi.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12f24d
            Source: DUI70.dll2.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17e239
            Source: DUI70.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x180503
            Source: VERSION.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x12ff28
            Source: rdpinit.exe.5.drStatic PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YRu8\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\exotc\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1DwRown1P\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rdM8VQT\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eF0\AgentService.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vh7jtu\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fox\dxva2.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eF0\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\1DwRown1P\wextract.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fox\dccw.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hJetkV\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\qe7nfWB\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\I0o\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\hIiDwtvg\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\exotc\osk.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\I0o\rdpclip.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3464 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,QueryServiceStatus,Sleep,GetLastError,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 4596Thread sleep count: 38 > 30
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\qe7nfWB\systemreset.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\1DwRown1P\wextract.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA4 rdtsc
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95B2380 memset,memset,memset,wcschr,wcsrchr,FindNextFileW,FindFirstFileW,FindNextFileW,GetLastError,wcsrchr,FindClose,LocalFree,LocalAlloc,GetLastError,GetLastError,FindClose,FindClose,LocalFree,
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B679110 ??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,FindFirstFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,FindNextFileW,GetLastError,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,
            Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.718116575.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.675145549.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
            Source: explorer.exe, 00000005.00000000.702853289.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000005.00000000.685209746.0000000004791000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000005.00000000.676311661.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95C0D50 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B642EF0 OutputDebugStringW,OutputDebugStringW,EventRegister,EventSetInformation,RegisterServiceCtrlHandlerW,SetServiceStatus,SetServiceStatus,GetLastError,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95BFA80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF6369849E0 GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1C2EA4 rdtsc
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A29ED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987480 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987680 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EF1E0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EEA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1F72B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F4014 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3D90 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CFC30 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95CFE9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeCode function: 30_2_00007FF71B6F0304 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526F894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeCode function: 32_2_00007FF7D526FBA0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D2BE0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeCode function: 34_2_00007FF6312D29D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30BF20 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A30B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABD58E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFABB012A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: 37_2_00007FF66A308CAC mouse_event,SetForegroundWindow,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,
            Source: explorer.exe, 00000005.00000000.700623963.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.687657205.0000000005E50000.00000004.00000001.sdmp, rdpinit.exeBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: rdpinit.exe, 00000014.00000000.791152367.00007FF6CE1FE000.00000002.00020000.sdmpBinary or memory string: Initialize failedDwmpGetColorizationParameters failedDwmpSetColorizationParametersCRdpTrayTaskbarCreatedShell_TrayWndRdptrayTSCreateAppbarTrayFN failedTSCreateShellNotifyTrayFN failedTSCreateTaskbarTrayFn failedTSCreateWindowCloakingTracker failedFailed g_RailOrderEncoder.InitializeFailed g_RailOrderEncoder.StartUpdating max icon size for the tray icon failed.m_spAppBarTrayFnm_spWindowCloakingTrackerRemoveWindow failedRemoveDestroyedWindows failed~/
            Source: explorer.exe, 00000005.00000000.683152480.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.675563745.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\eF0\AgentService.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Fox\dccw.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__W_Getdays,_o_free,_o_malloc,memmove,_o_free,_o__W_Getmonths,_o_free,_o_malloc,memmove,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: _o__Getdays,_o_free,_o__Getmonths,_o_free,_o____lc_locale_name_func,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exeCode function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958507C SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDevicePropertyW,RegQueryValueExW,DefineDosDeviceW,GetLastError,RegSetValueExW,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636987810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1EE34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F1B64 memset,GetModuleHandleW,LoadStringW,LocalAlloc,GetUserNameExW,GetLastError,LocalAlloc,LocalFree,LocalFree,WindowsDeleteString,WindowsDeleteString,GetUserNameExW,wcschr,WindowsCreateString,WindowsDeleteString,WindowsCreateString,WindowsDeleteString,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsIsStringEmpty,WindowsIsStringEmpty,WindowsCreateStringReference,RaiseException,RoActivateInstance,RaiseException,WindowsCreateStringReference,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,GetSystemTimeAsFileTime,WindowsCreateStringReference,RaiseException,RoGetActivationFactory,WindowsCreateStringReference,RaiseException,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF6369847F9 RpcBindingFree,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF63698459C memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984932 RpcBindingFree,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984730 NdrClientCall3,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exeCode function: 16_2_00007FF636984868 NdrClientCall3,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3F90 RpcBindingFree,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E1FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1CD87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E1DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,
            Source: C:\Users\user\AppData\Local\hJetkV\rdpinit.exeCode function: 20_2_00007FF6CE1E3630 SetPropW,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3578 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\YRu8\wlrmdr.exeCode function: 24_2_00007FF79A6F3020 memset,RpcBindingFree,GetAncestor,EnableWindow,CloseHandle,RpcAsyncInitializeHandle,Ndr64AsyncClientCall,EnableWindow,LocalFree,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A9180 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958B1A4 AllocateAndInitializeSid,GetCurrentProcessId,ProcessIdToSessionId,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateEventW,GetLastError,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A64D0 GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcServerListen,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B95A9370 RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,CloseHandle,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW,
            Source: C:\Users\user\AppData\Local\I0o\rdpclip.exeCode function: 27_2_00007FF7B958AF50 RpcBindingInqAuthClientW,RpcImpersonateClient,RpcRevertToSelf,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Native API1Application Shimming1Application Shimming1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter2Windows Service3Access Token Manipulation11Obfuscated Files or Information3Security Account ManagerAccount Discovery1SMB/Windows Admin SharesInput Capture11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsService Execution2Logon Script (Mac)Windows Service3Software Packing2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptProcess Injection312Timestomp1LSA SecretsSystem Information Discovery45SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncSecurity Software Discovery41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemVirtualization/Sandbox Evasion1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation11/etc/passwd and /etc/shadowProcess Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRundll321Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492437 Sample: K7dGM0P0yz Startdate: 28/09/2021 Architecture: WINDOWS Score: 96 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\I0o\dwmapi.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\Fox\dxva2.dll, PE32+ 19->37 dropped 39 21 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 rdpclip.exe 19->25         started        27 bdechangepin.exe 19->27         started        29 wlrmdr.exe 19->29         started        31 13 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            K7dGM0P0yz.dll62%VirustotalBrowse
            K7dGM0P0yz.dll66%MetadefenderBrowse
            K7dGM0P0yz.dll78%ReversingLabsWin64.Infostealer.Dridex
            K7dGM0P0yz.dll100%AviraTR/Crypt.ZPACK.Gen

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\Fox\dxva2.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\I0o\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe1%VirustotalBrowse
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\1DwRown1P\wextract.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            30.2.AgentService.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.dccw.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.rdpinit.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.rdpclip.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.dpapimig.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.wlrmdr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            37.2.GamePanel.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            16.2.bdechangepin.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://mixer.com/api/v1/oauth/xbl/loginGamePanel.exefalse
              		high
              https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRawGamePanel.exefalse
                		high
                https://aka.ms/imrx2oGamePanel.exefalse
                  		high
                  https://mixer.com/_latest/assets/emoticons/%ls.pngGamePanel.exefalse
                    		high
                    https://mixer.com/api/v1/users/currentGamePanel.exefalse
                      		high
                      https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimediaGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                        		high
                        https://mixer.com/api/v1/broadcasts/currentGamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                          		high
                          https://mixer.com/%wsWindows.System.LauncherGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                            		high
                            https://aka.ms/v5do45GamePanel.exefalse
                              		high
                              https://mixer.com/api/v1/types/lookup%wsGamePanel.exefalse
                                		high
                                https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/AugmenthGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                  		high
                                  https://aka.ms/wk9ocdGamePanel.exe, GamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                    		high
                                    https://MediaData.XboxLive.com/broadcasts/AugmentGamePanel.exefalse
                                      		high
                                      https://aka.ms/imfx4kGamePanel.exefalse
                                        		high
                                        https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameDGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://MediaData.XboxLive.com/gameclips/AugmentGamePanel.exefalse
                                          		high
                                          https://www.xboxlive.comGamePanel.exefalse
                                            		high
                                            https://mixer.com/api/v1/channels/%dGamePanel.exefalse
                                              		high
                                              https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/vGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                		high
                                                https://mixer.com/api/v1/channels/%wsGamePanel.exefalse
                                                  		high
                                                  https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamCGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                    		high
                                                    https://MediaData.XboxLive.com/screenshots/AugmentGamePanel.exefalse
                                                      		high
                                                      https://mixer.com/api/v1/chats/%.0fGamePanel.exefalse
                                                        		high
                                                        https://aka.ms/ifg0esGamePanel.exefalse
                                                          		high
                                                          https://mixer.com/%wsGamePanel.exefalse
                                                            		high
                                                            https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTINGGamePanel.exe, 00000025.00000000.971116564.00007FF66A317000.00000002.00020000.sdmpfalse
                                                              		high
                                                              https://aka.ms/w5ryqnGamePanel.exefalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:492437
                                                                Start date:28.09.2021
                                                                Start time:17:50:05
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 17m 2s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:K7dGM0P0yz (renamed file extension from none to dll)
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:40
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal96.troj.evad.winDLL@54/25@0/0
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 13.4% (good quality ratio 10.2%)
                                                                • Quality average: 49.7%
                                                                • Quality standard deviation: 37.9%
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Override analysis time to 240s for rundll32
                                                                • Stop behavior analysis, all processes terminated
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.50.102.62, 23.211.5.146, 23.211.6.115, 20.82.209.183, 8.248.113.254, 8.248.131.254, 8.253.145.105, 8.248.141.254, 8.248.115.254, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154, 13.107.253.254, 13.107.3.254, 204.79.197.200, 13.107.21.200, 52.113.196.254
                                                                • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fg.download.windowsupdate.com.c.footprint.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, teams-9999.teams-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, t-ring.msedge.net, s-ring.s-9999.s-msedge.net, ris.api.iris.microsoft.com, t-9999.fb-t-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, s-9999.s-msedge.net, e16646.dscg.akamaiedge.net, teams-ring.teams-9999.teams-msedge.net, t-ring.t-9999.t-msedge.net, teams-ring.msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtEnumerateKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\1DwRown1P\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.53691452928469
                                                                Encrypted:false
                                                                SSDEEP:12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:DF5AED1E7334B5161F7CC73BDE5E762F
                                                                SHA1:6D2D5D355A25AA4DE95A15BD3FE0AF7EEEB30BDB
                                                                SHA-256:BB5955DB9B52EFEC9203BFEBB6C7E454DB3BB5467A44CB8C193F886264E0952F
                                                                SHA-512:4AF3794C0FE0E2A93A2809F17927D08A9C089F4B673B06FC9D3F9AACC887AE94C1543F0C1F3B0BEDEA4EF0820E3C61EC64DAC4D7631E4AEE396E93D2B12FACE3
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\1DwRown1P\wextract.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):143872
                                                                Entropy (8bit):6.942627183104786
                                                                Encrypted:false
                                                                SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
                                                                MD5:ED93B350C8EEFC442758A00BC3EEDE2D
                                                                SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
                                                                SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
                                                                SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\5HTUnLvL\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896383458119775
                                                                Encrypted:false
                                                                SSDEEP:12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ19EBO:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:EE78A2DF136C664229F3326713DC7EE1
                                                                SHA1:886634C1499AAB4A18515FFB4C4B3E80EF5F07F8
                                                                SHA-256:C563D23DBEB6BBC8364A8600B1D69240FCF450AE8107789320AB3A76149B087B
                                                                SHA-512:6173C76A3E5528D9F9430886D5F60CF877D50EA8343C2F37EF39BCA65EC1CE762E3987A26F8BE735424CC987B89E8F9B9004D5C2C9ECF9746C05DF6D995528A0
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):369664
                                                                Entropy (8bit):6.503464732962775
                                                                Encrypted:false
                                                                SSDEEP:6144:so87gEZlHVxHEVHHHQVb1kHVqHVqHQQbTuTRTHTfTEHVf2XTQT6TITQT+VyW1727:1H+S+
                                                                MD5:013D00A367D851B0EC869F209337754E
                                                                SHA1:240B731FAA42E170511C1D0676B3ADE76712451B
                                                                SHA-256:3D0BFED2F2A17FA8246634FDA7162A1BE56DDB3080519BCEFEAFD69FBC7F2FE1
                                                                SHA-512:BD55925D3EC097FDD713A6847F69005C7B1007DBFAEAAFD02B0B23567F81C5721B4BFAF6A87DB1E94F4D71D6CC5E23AA31C443FD9030BD2D630489E9E7360662
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j..9..9..9.8..9.8..9.8..9.8..9..9..9.8..9.8..9.k9..9.8..9Rich..9........................PE..d...l..`.........."......r...4......0t.........@..........................................`.......... ..................................T...4........@..X....0..|.......................T............................................................................text....q.......r.................. ..`.rdata..v............v..............@..@.data........ ......................@....pdata..|....0......................@..@.rsrc...X....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):657920
                                                                Entropy (8bit):7.269727423438011
                                                                Encrypted:false
                                                                SSDEEP:12288:Nj8lLdFv9GOhS/IzJqrraq/t2qXy6xdRhMA:l8xdFAGS/EEn/tkI
                                                                MD5:341515B9556F37E623777D1C377BCFAC
                                                                SHA1:B0D81F3BCBEAECDFA77DBACE763A07629B9CC2EB
                                                                SHA-256:47DD54A2FDB59C1FB69EA8610CD83E2434F435C56A5FE62E67D0F98B3101A49D
                                                                SHA-512:3639A898B9C636360700325BA3F7F34346AF2A17628C82F23E68074CEB08014D63F42F05D7758B8D0EC0B872EE7098BC10065D338BAF243837937B9648053249
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.O.*HO.*HO.*HF..HM.*H .)IL.*H ..I[.*H ./II.*H .+IV.*HO.+H..*H .#Id.*H ..HN.*H .(IN.*HRichO.*H........................PE..d...U.|...........".................0..........@.............................P......$P....`.......... ......................................PV..................x............@.......I..T........................... $.............. %...............................text...Q........................... ..`.rdata...`.......b..................@..@.data................Z..............@....pdata..x............`..............@..@.rsrc................n..............@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Fox\dxva2.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.542172636035629
                                                                Encrypted:false
                                                                SSDEEP:12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:7F28477F617456F9929FB3541D746401
                                                                SHA1:045763F7973993958B1C2267353544F47DD6E599
                                                                SHA-256:341334FA5B1458456B116C4CE98EE1916AB5DF228214036E2B456F952311CBF4
                                                                SHA-512:E2FEC3F3122698A7214A696C68027CBCDF8C99D5789C15F7FD5B091052E70F1B65D34F16BD33622157412666569C9DC9C139329A7D90518B82A92AA37E4DD30B
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\I0o\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543714406979621
                                                                Encrypted:false
                                                                SSDEEP:12288:lVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:8fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:0818E1DEC9E4CE0B7A3A4FC491BED4AD
                                                                SHA1:DDF3EA43D0476D832810836E97B927CECE6A790E
                                                                SHA-256:ABEA917358081962151976C8452C1CC9DDEB31AB7DAAF984CF0E3D0EACAC9451
                                                                SHA-512:01FE9B3C732CE2B894DB133BB90B0CA67BCDC566D6D112E2699EA30F1DE5227571AD8427D55A2D73EFB4CBDB75AB167E6E02DF441E83B1D917D8B1962E63BACC
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):417280
                                                                Entropy (8bit):6.35897604208479
                                                                Encrypted:false
                                                                SSDEEP:12288:gchwbB56CegxMQkCUWtz4vlMqTLMCPSZ4jxALjK+5zBQ:ZwbB56MxMQkCUWtz4vlMqHtDjxALz
                                                                MD5:1690E3004F712C75A2C9FF6BCDE49461
                                                                SHA1:306498E9A9F1C6B2813DAD7CDCD8433139201794
                                                                SHA-256:10675ECAC736BF3FA5175330EF22D3F1E252A698072C58CBA3DE0A208E751FB2
                                                                SHA-512:1783E724B83C02647E79D3591839F85868393464542854855F1F42C4E142A5846EBF71343FE2B9284A61FD42C471886FF058E7956A434A0F4938C267C2ED676C
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q...........h(.....t......t......t......t.............t.......tD.....t.....Rich............PE..d....v5..........."............................@....................................v.....`.......... ......................................p...|.......(........*..................@...T....................;..(....:...............;...............................text............................... ..`.rdata..............................@..@.data....Y...0......................@....pdata...*.......,..................@..@.rsrc...(............D..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\YRu8\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896660376124476
                                                                Encrypted:false
                                                                SSDEEP:12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1IsO:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:3F27811A36A5760C80B6B666978726B7
                                                                SHA1:D00C621692F2B080DFEEE144CD44B93FA030D502
                                                                SHA-256:982771F1FD4E745E1F29EF571F364EF7A693DAB2460E5FE11068E1F35793AE10
                                                                SHA-512:04E1DB29A2E6552EB1A2838CAA2E29E8DBC7B4BB609085AD2153843172C341B1CF1335E112AACCD352B0827C1BA08B69C018CC739D45BBA5C1BDC03F24D19B6D
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):65704
                                                                Entropy (8bit):5.834154867756865
                                                                Encrypted:false
                                                                SSDEEP:1536:B14+6gGQ7ubZiQ+KytHIyObsvqr9PxDt8PcPs:QgGIu1iFtHJLu9ZDt8kU
                                                                MD5:4849E997AF1274DD145672A2F9BC0827
                                                                SHA1:D24E9C6079A20D1AED8C1C409C3FC8E1C63628F3
                                                                SHA-256:B43FC043A61BDBCF290929666A62959C8AD2C8C121C7A3F36436D61BBD011C9D
                                                                SHA-512:FB9227F0B758496DE1F1D7CEB3B7A5E847C6846ADD360754CFB900358A71422994C4904333AD51852DC169113ACE4FF3349520C816E7EE796E0FBE6106255AEF
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.s... ... ... .s\ ... .o.!... .o.!... .o.!... .o.!... ... t.. .o.!... .o0 ... .o.!... Rich... ........PE..d....2............"......4...........:.........@.............................@......b................P..................................................xg...............$...0.......y..T............................f...............g..x............................text....3.......4.................. ..`.imrsiv......P...........................rdata..J2...`...4...8..............@..@.data...h............l..............@....pdata...............n..............@..@.rsrc...xg.......h...r..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1189376
                                                                Entropy (8bit):6.169931271903684
                                                                Encrypted:false
                                                                SSDEEP:24576:+pL4Q4y94x7ZWe6b1B5I2M62kM0s1vt2txc/viVO1IORNfLc:uL4Q3S9b6b1UA9MPwOR5c
                                                                MD5:F7E36C20DB953DFF4FDDB817904C0E48
                                                                SHA1:8C6117B5DD68D397FD7C32F4746FB9B353D5DAE5
                                                                SHA-256:2C5EDE0807D8A5EC4B6E0FE0C308B37DBBDE12714FD9ADC4CE3EF4E0A5692207
                                                                SHA-512:32333A33DECD1AF0915FFDC48DA99831DA345010A91630C5245F2548939E33157F6151F596C09D0BEEAC3F15F08F79D4EEF4FAA4158BA023DEDFC4F6F6F56DF8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:K..[%M.[%M.[%M.?&L.[%M.? L.[%M.?!L.[%M.?$L.[%M.[$M.Z%M.?,L.[%M.?.M.[%M.?'L.[%MRich.[%M........................PE..d...m.>l.........."..........B.................@.....................................=....`.......... ...............................................P.. ........x...........`..`...p-..T...................pI..(...pH...............I...............................text...L........................... ..`.rdata..| ......."..................@..@.data...@....@...r..."..............@....pdata...x.......z..................@..@.rsrc... ....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\eF0\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.536934052743529
                                                                Encrypted:false
                                                                SSDEEP:12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:219B93338FA30EB02E7451F508CFA0B1
                                                                SHA1:6BBA18D636CAE803886B79067C411C03444E7592
                                                                SHA-256:35C8F18CCB9FCE67FDD3B66656106C2009A173DE3D369B1242DFB33E76835E90
                                                                SHA-512:E5039FC22455C5107C9F70C2669A2B004930263D08F852BE77AD91C3C8362C967D215434730930D074A96CC8C0C80A21AF1C8FA9982CD8E061DE5E36E62B47B8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\exotc\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896421125435813
                                                                Encrypted:false
                                                                SSDEEP:12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1RlO:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:B912502E1D3911B150786E6C32B98EAC
                                                                SHA1:12A12E5E06C930F06FA21D33112811F84C2FB8F9
                                                                SHA-256:83BECCAB2D4301D50C24E8589DEDFA1A399E3793C1FAAB7C653634B19B237922
                                                                SHA-512:9D5CAC7A3ED29F165BCEA8BEE5C1D9B0EF88E7D925C8A8356F24F092D75081C4502836CFD275854A168684B6F07D7E0782C520B968287F150B8C7D0D38C286E5
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\exotc\osk.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):622592
                                                                Entropy (8bit):5.333446181330722
                                                                Encrypted:false
                                                                SSDEEP:6144:ejoj2QDVJc1OcvH3AdKy9HGeofJgDEvr6slnCUGw/xIRLtxIRLuovZ:koj2UjmNwzaoo
                                                                MD5:88B09DE7D0DF1D2E9BCA9BAE1346CB23
                                                                SHA1:83EEE4D2BF315730666763D7FA36A584224CA7EC
                                                                SHA-256:7AC4B734A31AC4C29CCC53B7433773911CA46E1063A8B0F033AB9027D3427342
                                                                SHA-512:38DD3F5A9C60D242AD9BECE1407CBB007ED8A50A1844B9A4378ADB17AAAF0FEDB6A9D1E04642D49560717958A12E668A9A3CDD4484BD049509A89AC2EEB9E478
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=L..y-..y-..y-...I..z-...I..`-...I...-...I..\-..y-...,...I..[-...Id.x-...I..x-..Richy-..................PE..d.....%Z.........."......n...........i.........@....................................E.....`.......... ..........................................h....P...U...@..................`.......T...............................................x............................text....m.......n.................. ..`.rdata..............r..............@..@.data........ ......................@....pdata.......@......................@..@.rsrc....U...P...V...(..............@..@.reloc..`............~..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1292288
                                                                Entropy (8bit):6.159394598062476
                                                                Encrypted:false
                                                                SSDEEP:24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
                                                                MD5:4EF330EFAE954723B1F2800C15FDA7EB
                                                                SHA1:3E152C0B10E107926D6A213C882C161D80B836C9
                                                                SHA-256:0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
                                                                SHA-512:C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...|..............@..B................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\hIiDwtvg\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543680531167794
                                                                Encrypted:false
                                                                SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:000F0121D8502FB399215991CBE04E33
                                                                SHA1:4AFC45A9A8550F5F38E3181EB07909FC0CF0EA42
                                                                SHA-256:9EACC38B33ED6655A84D208A4778AF869CB506983FF9D93060D005A5A1077598
                                                                SHA-512:55909517C46141816AABF9BF3EBBA9E85D5F0AB4F07A16E3538DB0450BE52B59DA92AF3C319EF599FB3857A001A8BECFEDF967178604F43BEA5CB2EFBE916D59
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\hJetkV\dwmapi.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.543687120385596
                                                                Encrypted:false
                                                                SSDEEP:12288:OVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:TfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:37AB4714A1A9BE575D9EE2137ECE608B
                                                                SHA1:B7ECAD662ABAD3A2BCE683C956F17ABC23768581
                                                                SHA-256:36BB67D5D7B0F3610578F45D3262BF6E4BAF8F7FF48EB7A019D84EA8885E996E
                                                                SHA-512:12C5CA5E762FE63C6A66D5F45A4234A0E1CED08A768EBCB24B0ED82A4B28AD707D50D721C666DB80A6F225DB4ACCC57478082A319480A4C082BDA376FD78D287
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):327168
                                                                Entropy (8bit):6.414070673036673
                                                                Encrypted:false
                                                                SSDEEP:6144:fOzsB7eGjsO+VxyQ/qY4gCJkxkVPXqdzVxNwK3S3drxhUS4eMZfCZc/o:fOzsB7eGjb+VxynJkxkZ6dzV63drxhlF
                                                                MD5:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                SHA1:9CBD44DE4761F9383F2E0352035D52B86ECE80C2
                                                                SHA-256:0FD9B6C366E042ED83BFC53C5EA1AAF43F13F53D97F220B5571681BB766C33FA
                                                                SHA-512:C2F5E902DF725BC05F03052042767635689A35226CA1C3436ADF4835C57666B3E815FD386B80517734AC3B71F2FB15E48CE2F6739D669B5F68F4A8989713E8FC
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.....S...S...S.j.S...S.v.R...S.v.R...S.v.R...S.v.R...S...S...S.v.R...S.vmS...S.v.R...SRich...S................PE..d...q............"..........f...... ..........@.............................p......+................ ..........................................@....@..........d ...........`..x.......T............................................................................text...<........................... ..`.imrsiv..................................rdata..............................@..@.data....:..........................@....pdata..d ......."..................@..@.rsrc........@......................@..@.reloc..x....`......................@..B........................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\qe7nfWB\VERSION.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1228800
                                                                Entropy (8bit):5.536953957276552
                                                                Encrypted:false
                                                                SSDEEP:12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:A68FC5717015D2B4DC19B2540F8AE853
                                                                SHA1:9977CB586D84D9CAFA160B5A85A24D69AC90F0F7
                                                                SHA-256:9A6904E378CE6177B4EEE9418A5FB4A819C8DD4BD9B2120D4E9CC8B7AE2BB970
                                                                SHA-512:9727F063DAB4C35D377683095FD1E792DCF6B353CC8F00EF04C8C9FF34096D74DE4BE06356AFD3D4D46B4108100E536F4FB946D93AACE124506F3EA4E4DE7F91
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\qe7nfWB\systemreset.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):506184
                                                                Entropy (8bit):6.340311139921773
                                                                Encrypted:false
                                                                SSDEEP:6144:5el0JVJ8W9WUYEBaH2+8yafsjs3hXx6EfjZTheegL57KUgQGEEEsND0ZCYWh9Aig:UCVRAlEBgKyiv3V2e+X
                                                                MD5:872AE9FE08ED1AA78208678967BE2FEF
                                                                SHA1:846E6D44FBD2A5B9AC53427300B71D82355C712E
                                                                SHA-256:457EA0477CB26432088F4EB910CFFBCBFA597EF65D63E9DB9109ED8529C902D4
                                                                SHA-512:5235DEC4BA556975B07B22729D1ECB0FB513D15D58DB94737B0B8B25AB4C629255B4EA2D8B6854DB53F0E79C3EE7B742850C5C604A0BE04B1C251216A395A427
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........|..n/..n/..n/.../..n/..m...n/..j...n/..k...n/..o...n/..o/|.n/..g.Q.n/../..n/..l...n/Rich..n/........PE..d....3.b..........".................@..........@....................................F................ .......................................h..|...............|.......H3..............T....................6..(....5...............7..P............................text............................... ..`.imrsiv..................................rdata...|.......~..................@..@.data....)...........p..............@....pdata..|...........................@..@.rsrc...............................@..@.reloc...............|..............@..B................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\rdM8VQT\DUI70.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1511424
                                                                Entropy (8bit):5.896665120315234
                                                                Encrypted:false
                                                                SSDEEP:12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1cDO:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:C4AD4584D4CBBC387737C8EF59DB767A
                                                                SHA1:0AC719E2C31FA65190897EE6A1F4C052834647E8
                                                                SHA-256:08DC291C1867F79B4E24845092D9D8D97ECA19EC7A50436992A00A30FF8A92F5
                                                                SHA-512:5D68EF2434EC9615DF92433DB00A71081F46CD8D0393BA9F2F51F9CDE795233F8C76C40500403A94CAC7C5F44633C1E42151D8628BBC87C141BA4C181D9DEB0C
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):76800
                                                                Entropy (8bit):5.908989367752963
                                                                Encrypted:false
                                                                SSDEEP:1536:CzbG9gXEurcYIZh800l3uU1HIED1fCbWpygzU:obezur2hrSJj16bE
                                                                MD5:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                SHA1:FB5021297FDF24000ADD478164EEC8048871B335
                                                                SHA-256:7999B821F8A673B0528C8F5F72A68A61393BEF78785FC1B4A0B3938D8CDD14B8
                                                                SHA-512:F2292577166A330409813215DD49F2A276739AB51621316FBD418A377F4FD2476E50720A88F3069D16146E5C57DF47B21D800089EE48B28158BCBCFE3B6776AB
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............nx..nx..nx......nx...{..nx...|..nx...}..nx...y..nx..ny..nx...q..nx......nx...z..nx.Rich.nx.................PE..d...Y............."......"..........@'.........@....................................+.....`.......... .......................................L..........@....................p..P....H..T............................@...............A...............................text.... .......".................. ..`.rdata... ...@..."...&..............@..@.data........p.......H..............@....pdata...............J..............@..@.rsrc...@............L..............@..@.reloc..P....p.......*..............@..B................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\vh7jtu\RdpSaUacHelper.exe
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):29184
                                                                Entropy (8bit):5.483991269470949
                                                                Encrypted:false
                                                                SSDEEP:384:x1i6wkbsVQCy+MmItEV3DAOnKjXxyWzyWpaTeinj7qHk9FyMWagW:x1TwgsmCRMmIcTRnKbQW/kj7uk2U
                                                                MD5:DA88A7B872B1A52F2465D12CFBA4EDAB
                                                                SHA1:8421C2A12DFF33B827E8A6F942C2C87082D933DB
                                                                SHA-256:6A97CF791352C68EFFEFCBE3BB23357A76D93CB51D08543ED993210C56782627
                                                                SHA-512:CA96D8D423235E013B228D05961ED5AA347D25736F8DFC4C7FEB81BFA5A1193D013CD29AA027E1793D6835E52F6557B3491520D56DE7C09F0165F1D5C8FD9ED8
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......& ..bA..bA..bA..k9..`A...%..cA...%..`A...%..pA...%..uA..bA...A...%..hA...%p.cA...%..cA..RichbA..........PE..d...?.1V.........."......6...>...... =.........@.....................................f....`.......... ......................................4k.......................................f..T............................U...............V...............................text....4.......6.................. ..`.rdata...'...P...(...:..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\vh7jtu\WINSTA.dll
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1232896
                                                                Entropy (8bit):5.5551816370972045
                                                                Encrypted:false
                                                                SSDEEP:12288:AVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1v:lfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                MD5:E65B52DA0196CE4DFFEB0EAF2709D358
                                                                SHA1:9B6CF7C801A308E90E5234DAEA3C88F285FBA91D
                                                                SHA-256:E643B94BBD4E5AE7C74339BA091C251096A9FC3D52C792B455422AA46CAB3098
                                                                SHA-512:19F01E0182D21D0D78649989F36BF28A4D67A77D704FCCD2C88379E43E1116E8A08291CBAB95D7A7692BE7EAFAAF14C8141C883EBD8F50B7CC82732C75E854E7
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.%..DN^.........." ................p..........@....................................@lx}..b.............................................m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                Process:C:\Windows\explorer.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):4442
                                                                Entropy (8bit):5.475959740413491
                                                                Encrypted:false
                                                                SSDEEP:96:j4jGRePj73FEnphe4jGRdreVYD565JoabRZ:05Pjk4H96oa1Z
                                                                MD5:3F9721680F66E36E4A6E8F8943387C63
                                                                SHA1:7295E4A2AA39178F6E45BE13C169C3F46F1E2EAC
                                                                SHA-256:0AD67AE38A272E05DCC1A3C7E10DF68FA2A98E7878F4F17AD6B9F9BE2C31E090
                                                                SHA-512:6F526FBB57DA6725B73AE6B1979BE8D36D2E26D5BB984306DF224679CCDE57DE7C9A1818B8A7215AB74191B154D30084622B787EE9FAEB0B790A6E00DEF7A3FE
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: ........................................user.........................................user.....................RSA1................a..C..=..[$'......Z..p.....PD]]B..5.....8..Y....&....J...n....4.Pn@...M../.=...G?.....|.......S"I....'e..`=z/...[.m8.Ffm......................z..O......@....A....T.r....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...|.....8 e..6,..lG".X...e....UR............ ..........X.a..w.JG^..$..[%.&..&.............+.V6,X..N+.lJd.&.%.Z.B.(.V/PO0..l`u"...V'.i.2#h...<.l...Y.n.~gCVn#Mh.mn....,..;..L.Tfl...E..3..y=.x.j..JA..]..q@......:0.l7.P.o.g...b.18U6......`.g$[.o?. .v.a...... ...?p.kt.../..#"......^k.U.:(....l..S%..bmMPu..m..`.....w.......1."...r;.-..=&#..Oz.. ...UJ5.=...O@...........}.qP...<.s9.@.B9....$.....^{.1.K.C..0..U....O.n...M.....2D5..Q'.kt.v...4.-$.QR...SK...e)O/..d.g...",`.........(h...[i7...1.....f.?.N.7.|....k..}TX...`.o5"......<....|..1.I.v.:.9....9r-e..k.Uj7KNMZ9.7C.CM..U..q..w..^....z.'..d...

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Entropy (8bit):5.561077097847572
                                                                TrID:
                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                File name:K7dGM0P0yz.dll
                                                                File size:1224704
                                                                MD5:2955d4759afce09a41c1df5b108f0287
                                                                SHA1:11e277c3c987b4119909dd099a5f901e074698e3
                                                                SHA256:97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
                                                                SHA512:1cb1adb483d7652ac7c41fc471612d9ee14415763c753e269645a97917050cf1e144daa679f09714a29b9d00d6234606eed407c9735c0d4bb3bfe12ca9b74a80
                                                                SSDEEP:12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

                                                                File Icon

                                                                Icon Hash:74f0e4ecccdce0e4

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x140041070
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:6668be91e2c948b183827f040944057f

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                xor eax, eax
                                                                dec eax
                                                                add eax, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D82h], ecx
                                                                dec eax
                                                                lea ecx, dword ptr [FFFFECABh]
                                                                dec eax
                                                                mov dword ptr [00073D7Ch], edx
                                                                dec eax
                                                                add eax, ecx
                                                                dec esp
                                                                mov dword ptr [00073D92h], ecx
                                                                dec esp
                                                                mov dword ptr [00073DA3h], ebp
                                                                dec esp
                                                                mov dword ptr [00073D7Ch], eax
                                                                dec esp
                                                                mov dword ptr [00073D85h], edi
                                                                dec esp
                                                                mov dword ptr [00073D86h], esi
                                                                dec esp
                                                                mov dword ptr [00073D8Fh], esp
                                                                dec eax
                                                                mov ecx, eax
                                                                dec eax
                                                                sub ecx, 5Ah
                                                                dec eax
                                                                mov dword ptr [00073D89h], esi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007F237894548Fh
                                                                dec eax
                                                                mov dword ptr [00073D45h], esp
                                                                dec eax
                                                                mov dword ptr [00073D36h], ebp
                                                                dec eax
                                                                mov dword ptr [00073D7Fh], ebx
                                                                dec eax
                                                                mov dword ptr [00073D70h], edi
                                                                dec eax
                                                                test eax, eax
                                                                je 00007F237894546Eh
                                                                jmp ecx
                                                                dec eax
                                                                add edi, ecx
                                                                dec eax
                                                                mov dword ptr [FFFFEC37h], ecx
                                                                dec eax
                                                                xor ecx, eax
                                                                jmp ecx
                                                                retn 0008h
                                                                ud2
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                int3
                                                                push ebx
                                                                dec eax
                                                                sub esp, 00000080h
                                                                mov eax, F957B016h
                                                                mov byte ptr [esp+7Fh], 00000037h
                                                                mov edx, dword ptr [esp+78h]
                                                                inc ecx
                                                                mov eax, edx
                                                                inc ecx
                                                                or eax, 5D262B0Ch
                                                                inc esp
                                                                mov dword ptr [esp+78h], eax
                                                                dec eax
                                                                mov dword ptr [eax+eax+00h], 00000000h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [LNK] VS2012 UPD4 build 61030
                                                                • [ASM] VS2013 UPD2 build 30501
                                                                • [ C ] VS2012 UPD2 build 60315
                                                                • [C++] VS2013 UPD4 build 31101
                                                                • [RES] VS2012 UPD3 build 60610
                                                                • [LNK] VS2017 v15.5.4 build 25834
                                                                • [ C ] VS2017 v15.5.4 build 25834
                                                                • [ASM] VS2010 build 30319
                                                                • [EXP] VS2015 UPD1 build 23506
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [RES] VS2012 UPD4 build 61030
                                                                • [LNK] VS2012 UPD2 build 60315
                                                                • [C++] VS2015 UPD1 build 23506
                                                                • [ C ] VS2013 UPD4 build 31101

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x12a0100x9bd.sow
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x420000x64fcb0x65000False0.702262047494data7.86510283498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .wnx0x10e0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .weqy0x10f0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .yby0x1100000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ormx0x1120000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .dhclu0x1130000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .xmiul0x1140000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tlwcxe0x1150000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .get0x1160000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .hzrd0x1170000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .qzu0x1190000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nhglos0x11a0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .itzo0x11b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nmsaom0x11c0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .mas0x11d0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .ldov0x11e0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .bwslm0x11f0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .gfceb0x1200000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .nojmwb0x1220000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .naznun0x1230000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .iyfv0x1240000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .iqae0x1250000xf90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .zco0x1260000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .kqpcjh0x1270000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .unbzj0x1280000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tcuit0x1290000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .sow0x12a0000x9cd0x1000False0.32421875data4.01791151215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xc00a00x370dataEnglishUnited States
                                                                RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
                                                                SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
                                                                KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
                                                                GDI32.dllCreateBitmapIndirect, GetPolyFillMode
                                                                CRYPT32.dllCertGetCTLContextProperty
                                                                ADVAPI32.dllAddAccessDeniedObjectAce
                                                                SHLWAPI.dllChrCmpIW

                                                                Exports

                                                                NameOrdinalAddress
                                                                BeginBufferedAnimation370x140010604
                                                                BeginBufferedPaint380x140040dbc
                                                                BeginPanningFeedback50x140029098
                                                                BufferedPaintClear390x14003e6d4
                                                                BufferedPaintInit400x14002f964
                                                                BufferedPaintRenderAnimation410x14001ac64
                                                                BufferedPaintSetAlpha420x1400416a0
                                                                BufferedPaintStopAllAnimations510x140021ef8
                                                                BufferedPaintUnInit520x140013340
                                                                CloseThemeData530x1400071d8
                                                                DrawThemeBackground540x140002540
                                                                DrawThemeBackgroundEx470x140008170
                                                                DrawThemeEdge550x140002bec
                                                                DrawThemeIcon560x14004013c
                                                                DrawThemeParentBackground570x1400116a4
                                                                DrawThemeParentBackgroundEx580x140020c0c
                                                                DrawThemeText590x140004e4c
                                                                DrawThemeTextEx700x14003d8e4
                                                                EnableThemeDialogTexture710x140008934
                                                                EnableTheming870x1400184cc
                                                                EndBufferedAnimation880x14001e940
                                                                EndBufferedPaint890x140035d68
                                                                EndPanningFeedback60x14000724c
                                                                GetBufferedPaintBits900x14001c854
                                                                GetBufferedPaintDC910x140035378
                                                                GetBufferedPaintTargetDC920x140038e14
                                                                GetBufferedPaintTargetRect930x1400105a8
                                                                GetCurrentThemeName940x1400183cc
                                                                GetThemeAppProperties950x14001db84
                                                                GetThemeBackgroundContentRect960x140008a34
                                                                GetThemeBackgroundExtent970x1400056f8
                                                                GetThemeBackgroundRegion980x14000ad6c
                                                                GetThemeBitmap990x14003d7a8
                                                                GetThemeBool1000x140001954
                                                                GetThemeColor1010x14001585c
                                                                GetThemeDocumentationProperty1020x140037a84
                                                                GetThemeEnumValue1030x14000bf08
                                                                GetThemeFilename1040x14000f3dc
                                                                GetThemeFont1050x14001390c
                                                                GetThemeInt1060x14003a2e8
                                                                GetThemeIntList1070x14000ce8c
                                                                GetThemeMargins1080x14003704c
                                                                GetThemeMetric1090x14003894c
                                                                GetThemePartSize1100x140026338
                                                                GetThemePosition1110x14001906c
                                                                GetThemePropertyOrigin1120x140006c60
                                                                GetThemeRect1130x14000ecc4
                                                                GetThemeStream1140x140025f68
                                                                GetThemeString1150x14000eed0
                                                                GetThemeSysBool1160x14000a234
                                                                GetThemeSysColor1170x14002f7a4
                                                                GetThemeSysColorBrush1180x14002dab0
                                                                GetThemeSysFont1190x1400236bc
                                                                GetThemeSysInt1200x140037f14
                                                                GetThemeSysSize1210x140006e28
                                                                GetThemeSysString1220x14001a14c
                                                                GetThemeTextExtent1230x140039e5c
                                                                GetThemeTextMetrics1240x1400167d8
                                                                GetThemeTransitionDuration1250x14000bf60
                                                                GetWindowTheme1260x14000ef70
                                                                HitTestThemeBackground1270x140019fb0
                                                                IsAppThemed1280x1400244d0
                                                                IsCompositionActive1290x14002dacc
                                                                IsThemeActive1300x14001acd0
                                                                IsThemeBackgroundPartiallyTransparent1310x140001130
                                                                IsThemeDialogTextureEnabled1320x140030c50
                                                                IsThemePartDefined1330x140004240
                                                                OpenThemeData1340x14000f430
                                                                OpenThemeDataEx610x140028da4
                                                                SetThemeAppProperties1350x1400278c4
                                                                SetWindowTheme1360x14000878c
                                                                SetWindowThemeAttribute1370x140025128
                                                                ThemeInitApiHook1380x14000a640
                                                                UpdatePanningFeedback120x14001de60

                                                                Version Infos

                                                                DescriptionData
                                                                LegalCopyright Microsoft Corporation. All rights reserv
                                                                InternalNamebitsp
                                                                FileVersion7.5.7600.16385 (win7_rtm.090713-
                                                                CompanyNameMicrosoft Corporati
                                                                ProductNameMicrosoft Windows Operating S
                                                                ProductVersion6.1.7600
                                                                FileDescriptionBackground Intellig
                                                                OriginalFilenamekbdy
                                                                Translation0x0409 0x04b0

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 28, 2021 17:50:54.242203951 CEST53646468.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:50:55.216106892 CEST6529853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:50:55.238712072 CEST53652988.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:50:58.137361050 CEST5912353192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:50:58.159229994 CEST53591238.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:29.047678947 CEST5453153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:29.073697090 CEST53545318.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:48.214468956 CEST4971453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:48.234690905 CEST53497148.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:50.760689974 CEST5802853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:50.780770063 CEST53580288.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:51.605859041 CEST5309753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:51.629291058 CEST53530978.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:52.141052008 CEST4925753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:52.161884069 CEST53492578.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:52.779175997 CEST6238953192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:52.799179077 CEST53623898.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.261821032 CEST4991053192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.283670902 CEST53499108.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.481460094 CEST5585453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.510181904 CEST53558548.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:53.777473927 CEST6454953192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:53.820067883 CEST53645498.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:54.341542006 CEST6315353192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:54.360327959 CEST53631538.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:55.436522961 CEST5299153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:55.456087112 CEST53529918.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:56.204061031 CEST5370053192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:56.222748995 CEST53537008.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:51:56.622276068 CEST5172653192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:51:56.644093037 CEST53517268.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:12.671499014 CEST5679453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:12.692701101 CEST53567948.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:46.959403992 CEST5653453192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:46.993822098 CEST53565348.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:52:48.438551903 CEST5662753192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:52:48.464600086 CEST53566278.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.161432028 CEST5662153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.161909103 CEST6311653192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.162794113 CEST6407853192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.178714991 CEST6480153192.168.2.48.8.8.8
                                                                Sep 28, 2021 17:54:03.181512117 CEST53631168.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.182200909 CEST53640788.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.196491957 CEST53566218.8.8.8192.168.2.4
                                                                Sep 28, 2021 17:54:03.198102951 CEST53648018.8.8.8192.168.2.4

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: loaddll64.exe PID: 7076 Parent PID: 2208

                                                                General

                                                                Start time:17:51:00
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\loaddll64.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:loaddll64.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll'
                                                                Imagebase:0x7ff651af0000
                                                                File size:1136128 bytes
                                                                MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.687667987.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: cmd.exe PID: 7068 Parent PID: 7076

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
                                                                Imagebase:0x7ff622070000
                                                                File size:273920 bytes
                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 7064 Parent PID: 7076

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedAnimation
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.749176319.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 7144 Parent PID: 7068

                                                                General

                                                                Start time:17:51:01
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe 'C:\Users\user\Desktop\K7dGM0P0yz.dll',#1
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.666466905.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: explorer.exe PID: 3424 Parent PID: 7064

                                                                General

                                                                Start time:17:51:02
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Explorer.EXE
                                                                Imagebase:0x7ff6fee60000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 5516 Parent PID: 7076

                                                                General

                                                                Start time:17:51:04
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginBufferedPaint
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.674588856.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 6800 Parent PID: 7076

                                                                General

                                                                Start time:17:51:08
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:rundll32.exe C:\Users\user\Desktop\K7dGM0P0yz.dll,BeginPanningFeedback
                                                                Imagebase:0x7ff733ad0000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.681792937.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                Analysis Process: bdechangepin.exe PID: 6036 Parent PID: 3424

                                                                General

                                                                Start time:17:51:42
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\bdechangepin.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\bdechangepin.exe
                                                                Imagebase:0x7ff7b6860000
                                                                File size:369664 bytes
                                                                MD5 hash:013D00A367D851B0EC869F209337754E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: bdechangepin.exe PID: 6932 Parent PID: 3424

                                                                General

                                                                Start time:17:51:48
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\5HTUnLvL\bdechangepin.exe
                                                                Imagebase:0x7ff636980000
                                                                File size:369664 bytes
                                                                MD5 hash:013D00A367D851B0EC869F209337754E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.786920888.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: rdpinit.exe PID: 4824 Parent PID: 3424

                                                                General

                                                                Start time:17:51:59
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rdpinit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\rdpinit.exe
                                                                Imagebase:0x7ff6103f0000
                                                                File size:327168 bytes
                                                                MD5 hash:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: rdpinit.exe PID: 6476 Parent PID: 3424

                                                                General

                                                                Start time:17:52:00
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\hJetkV\rdpinit.exe
                                                                Imagebase:0x7ff6ce1c0000
                                                                File size:327168 bytes
                                                                MD5 hash:EF7C9CF6EA5B8B9C5C8320990714C35D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.812981764.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: wlrmdr.exe PID: 1088 Parent PID: 3424

                                                                General

                                                                Start time:17:52:11
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\wlrmdr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wlrmdr.exe
                                                                Imagebase:0x7ff6581f0000
                                                                File size:65704 bytes
                                                                MD5 hash:4849E997AF1274DD145672A2F9BC0827
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: wlrmdr.exe PID: 5984 Parent PID: 3424

                                                                General

                                                                Start time:17:52:16
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\YRu8\wlrmdr.exe
                                                                Imagebase:0x7ff79a6f0000
                                                                File size:65704 bytes
                                                                MD5 hash:4849E997AF1274DD145672A2F9BC0827
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.847453673.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: rdpclip.exe PID: 1332 Parent PID: 3424

                                                                General

                                                                Start time:17:52:28
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\rdpclip.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\rdpclip.exe
                                                                Imagebase:0x7ff72f500000
                                                                File size:417280 bytes
                                                                MD5 hash:1690E3004F712C75A2C9FF6BCDE49461
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: rdpclip.exe PID: 2820 Parent PID: 3424

                                                                General

                                                                Start time:17:52:29
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\I0o\rdpclip.exe
                                                                Imagebase:0x7ff7b9580000
                                                                File size:417280 bytes
                                                                MD5 hash:1690E3004F712C75A2C9FF6BCDE49461
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.874877392.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: AgentService.exe PID: 2328 Parent PID: 3424

                                                                General

                                                                Start time:17:52:40
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\AgentService.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\AgentService.exe
                                                                Imagebase:0x7ff7e2c00000
                                                                File size:1189376 bytes
                                                                MD5 hash:F7E36C20DB953DFF4FDDB817904C0E48
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: AgentService.exe PID: 1808 Parent PID: 3424

                                                                General

                                                                Start time:17:52:41
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\eF0\AgentService.exe
                                                                Imagebase:0x7ff71b640000
                                                                File size:1189376 bytes
                                                                MD5 hash:F7E36C20DB953DFF4FDDB817904C0E48
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.903179432.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: dccw.exe PID: 6372 Parent PID: 3424

                                                                General

                                                                Start time:17:52:53
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\dccw.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dccw.exe
                                                                Imagebase:0x7ff6a0ee0000
                                                                File size:657920 bytes
                                                                MD5 hash:341515B9556F37E623777D1C377BCFAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: dccw.exe PID: 3864 Parent PID: 3424

                                                                General

                                                                Start time:17:52:55
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\Fox\dccw.exe
                                                                Imagebase:0x7ff732050000
                                                                File size:657920 bytes
                                                                MD5 hash:341515B9556F37E623777D1C377BCFAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.931145989.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: dpapimig.exe PID: 6960 Parent PID: 3424

                                                                General

                                                                Start time:17:53:06
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\dpapimig.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\dpapimig.exe
                                                                Imagebase:0x7ff761d30000
                                                                File size:76800 bytes
                                                                MD5 hash:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: dpapimig.exe PID: 404 Parent PID: 3424

                                                                General

                                                                Start time:17:53:11
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\rdM8VQT\dpapimig.exe
                                                                Imagebase:0x7ff6312d0000
                                                                File size:76800 bytes
                                                                MD5 hash:EE7DB7B615B48D8F9F08FAE70CAF46D7
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.965505490.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Analysis Process: GamePanel.exe PID: 5180 Parent PID: 3424

                                                                General

                                                                Start time:17:53:23
                                                                Start date:28/09/2021
                                                                Path:C:\Windows\System32\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\GamePanel.exe
                                                                Imagebase:0x7ff7ded90000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Analysis Process: GamePanel.exe PID: 4488 Parent PID: 3424

                                                                General

                                                                Start time:17:53:24
                                                                Start date:28/09/2021
                                                                Path:C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Local\hIiDwtvg\GamePanel.exe
                                                                Imagebase:0x7ff66a260000
                                                                File size:1292288 bytes
                                                                MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.992899569.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >