Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DC2zX44MQr

Overview

General Information

Sample Name:DC2zX44MQr (renamed file extension from none to dll)
Analysis ID:492503
MD5:94f8317b419e9476120b14a29d9b05d2
SHA1:f2b03dd4441f3808468bdbb8b26273cfb41b5298
SHA256:2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Potential key logger detected (key state polling based)
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6552 cmdline: loaddll64.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 6576 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6600 cmdline: rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6584 cmdline: rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • DmNotificationBroker.exe (PID: 3476 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • DmNotificationBroker.exe (PID: 6464 cmdline: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • RdpSa.exe (PID: 4488 cmdline: C:\Windows\system32\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)
        • RdpSa.exe (PID: 2152 cmdline: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe MD5: 0795B6F790F8E52D55F39E593E9C5BBA)
        • Utilman.exe (PID: 2884 cmdline: C:\Windows\system32\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • Utilman.exe (PID: 3596 cmdline: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • EaseOfAccessDialog.exe (PID: 6104 cmdline: C:\Windows\system32\EaseOfAccessDialog.exe MD5: F87F2E5EBF3FFBA39DF1621B5F8689B5)
        • EaseOfAccessDialog.exe (PID: 6128 cmdline: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe MD5: F87F2E5EBF3FFBA39DF1621B5F8689B5)
        • DevicePairingWizard.exe (PID: 5024 cmdline: C:\Windows\system32\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)
        • DevicePairingWizard.exe (PID: 4804 cmdline: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe MD5: E23643C785D498FF73B5C9D7EA173C3D)
        • wermgr.exe (PID: 4896 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • wermgr.exe (PID: 5600 cmdline: C:\Users\user\AppData\Local\xlPP\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • mstsc.exe (PID: 6664 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 6636 cmdline: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
    • rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6808 cmdline: rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000023.00000002.498301124.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000026.00000002.525725102.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000003.00000002.252587929.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000000.00000002.272674434.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000006.00000002.258809816.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 7 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: DC2zX44MQr.dllVirustotal: Detection: 67%Perma Link
            Source: DC2zX44MQr.dllReversingLabs: Detection: 80%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: DC2zX44MQr.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\sBx0fm\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\xlPP\wer.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\mJLa\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\rm4w0\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: DC2zX44MQr.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\sBx0fm\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\xlPP\wer.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\mJLa\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\rm4w0\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A414F52C CryptProtectData,LocalAlloc,LocalFree,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A414F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,
            Source: DC2zX44MQr.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
            Source: Binary string: Utilman.pdb source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
            Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe.5.dr
            Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
            Source: Binary string: psr.pdbGCTL source: psr.exe.5.dr
            Source: Binary string: EaseOfAccessDialog.pdb source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
            Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
            Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
            Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe.5.dr
            Source: Binary string: EaseOfAccessDialog.pdbGCTL source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
            Source: Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe.5.dr
            Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
            Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
            Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
            Source: Binary string: mstsc.pdb source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
            Source: Binary string: psr.pdb source: psr.exe.5.dr
            Source: Binary string: RDVGHelper.pdb source: RDVGHelper.exe.5.dr
            Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FABE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: explorer.exe, 00000005.00000000.301625315.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF7198411A0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendInput,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C3956C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,memset,SendInput,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000023.00000002.498301124.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.525725102.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.252587929.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.272674434.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.258809816.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.330302590.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.266253941.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.366691390.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.429090698.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.555665664.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.459149344.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.393120079.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D52BA0
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D522B0
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF719844AA4
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF7198416F8
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984B230
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF719849A10
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF7198418D0
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C32FD0
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C37F6C
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C36890
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C34830
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeCode function: 35_2_00007FF6CB0231D0
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB2438
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA6848
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB0A58
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA7EFC
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA2F54
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FAE368
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FACFF0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E39A0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E8DF0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E35EC
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40ECE08
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A4161690
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40DDA8C
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40EEAB4
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40D4EC4
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40F12E0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A4114320
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40D6B94
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E77C0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40D5410
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E8060
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40EA858
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E84C0
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E64DC
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984A2C8 NtQueryWnfStateData,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CoCreateInstance,SystemParametersInfoW,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF719849640 NtQueryWnfStateData,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C338C0 NtQueryWnfStateData,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CoCreateInstance,SystemParametersInfoW,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C3C164 NtQueryWnfStateData,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB2438 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA82EC DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB1F54 NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FAE368 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA8404 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError,
            Source: DmNotificationBroker.exe.5.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: DC2zX44MQr.dllBinary or memory string: OriginalFilenamekbdyj% vs DC2zX44MQr.dll
            Source: EaseOfAccessDialog.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EaseOfAccessDialog.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EaseOfAccessDialog.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DevicePairingWizard.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wermgr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: psr.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DUI70.dll0.5.drStatic PE information: Number of sections : 40 > 10
            Source: DUI70.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: WTSAPI32.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: DC2zX44MQr.dllStatic PE information: Number of sections : 39 > 10
            Source: WINSTA.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: wer.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: DUI70.dll1.5.drStatic PE information: Number of sections : 40 > 10
            Source: VERSION.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: credui.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: MFC42u.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: OLEACC.dll.5.drStatic PE information: Number of sections : 40 > 10
            Source: DC2zX44MQr.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINSTA.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: wer.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: credui.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DC2zX44MQr.dllVirustotal: Detection: 67%
            Source: DC2zX44MQr.dllReversingLabs: Detection: 80%
            Source: DC2zX44MQr.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xlPP\wermgr.exe C:\Users\user\AppData\Local\xlPP\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RdpSa.exe C:\Windows\system32\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EaseOfAccessDialog.exe C:\Windows\system32\EaseOfAccessDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DevicePairingWizard.exe C:\Windows\system32\DevicePairingWizard.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xlPP\wermgr.exe C:\Users\user\AppData\Local\xlPP\wermgr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@45/21@0/0
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF686901A1C CoInitializeEx,InitProcessPriv,InitThread,CoCreateInstance,#100,TranslateMessage,DispatchMessageW,GetMessageW,#101,UnInitThread,UnInitProcessPriv,CoUninitialize,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: RtlInitUnicodeString,RtlCreateBoundaryDescriptor,RtlInitUnicodeString,RtlCreateServiceSid,GetProcessHeap,HeapAlloc,RtlCreateServiceSid,RtlAddSIDToBoundaryDescriptor,OpenPrivateNamespaceW,GetLastError,GetProcessHeap,HeapFree,RtlDeleteBoundaryDescriptor,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D541EC LoadStringW,GetLastError,LoadStringW,GetLastError,FormatMessageW,GetLastError,WinStationSendMessageW,GetLastError,LocalFree,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA1A70 CreateToolhelp32Snapshot,GetLastError,Process32FirstW,GetLastError,_wcsicmp,Process32NextW,CloseHandle,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeMutant created: \Sessions\1\BaseNamedObjects\{a917c379-c9d3-7f7b-0d3b-a731b6dfaaa9}
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeMutant created: \Sessions\1\BaseNamedObjects\{19d566d2-4a0e-150a-d927-cc8fa9ee6bbf}
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF719846A78 LoadResource,LockResource,SizeofResource,
            Source: DC2zX44MQr.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: DC2zX44MQr.dllStatic file information: File size 1236992 > 1048576
            Source: DC2zX44MQr.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
            Source: Binary string: Utilman.pdb source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
            Source: Binary string: PasswordOnWakeSettingFlyout.pdb source: PasswordOnWakeSettingFlyout.exe.5.dr
            Source: Binary string: RdpSa.pdbGCTL source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
            Source: Binary string: psr.pdbGCTL source: psr.exe.5.dr
            Source: Binary string: EaseOfAccessDialog.pdb source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
            Source: Binary string: RdpSa.pdb source: RdpSa.exe, 00000019.00000002.397262108.00007FF644D58000.00000002.00020000.sdmp, RdpSa.exe.5.dr
            Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000013.00000002.368362956.00007FF686905000.00000002.00020000.sdmp, DmNotificationBroker.exe.5.dr
            Source: Binary string: PasswordOnWakeSettingFlyout.pdbGCTL source: PasswordOnWakeSettingFlyout.exe.5.dr
            Source: Binary string: EaseOfAccessDialog.pdbGCTL source: EaseOfAccessDialog.exe, 00000021.00000002.460475835.00007FF792C3E000.00000002.00020000.sdmp, EaseOfAccessDialog.exe.5.dr
            Source: Binary string: WerMgr.pdb source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
            Source: Binary string: RDVGHelper.pdbGCTL source: RDVGHelper.exe.5.dr
            Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 0000001C.00000002.436525470.00007FF719850000.00000002.00020000.sdmp, Utilman.exe.5.dr
            Source: Binary string: DevicePairingWizard.pdb source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
            Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
            Source: Binary string: mstsc.pdb source: mstsc.exe, 00000028.00000000.532448081.00007FF7A41F4000.00000002.00020000.sdmp, mstsc.exe.5.dr
            Source: Binary string: psr.pdb source: psr.exe.5.dr
            Source: Binary string: RDVGHelper.pdb source: RDVGHelper.exe.5.dr
            Source: Binary string: DevicePairingWizard.pdbGCTL source: DevicePairingWizard.exe, 00000023.00000000.476451806.00007FF6CB027000.00000002.00020000.sdmp, DevicePairingWizard.exe.5.dr
            Source: Binary string: WerMgr.pdbGCTL source: wermgr.exe, 00000026.00000000.503200153.00007FF776FB5000.00000002.00020000.sdmp, wermgr.exe.5.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: DC2zX44MQr.dllStatic PE information: section name: .qkm
            Source: DC2zX44MQr.dllStatic PE information: section name: .cvjb
            Source: DC2zX44MQr.dllStatic PE information: section name: .tlmkv
            Source: DC2zX44MQr.dllStatic PE information: section name: .wucsxe
            Source: DC2zX44MQr.dllStatic PE information: section name: .wnx
            Source: DC2zX44MQr.dllStatic PE information: section name: .weqy
            Source: DC2zX44MQr.dllStatic PE information: section name: .yby
            Source: DC2zX44MQr.dllStatic PE information: section name: .ormx
            Source: DC2zX44MQr.dllStatic PE information: section name: .dhclu
            Source: DC2zX44MQr.dllStatic PE information: section name: .xmiul
            Source: DC2zX44MQr.dllStatic PE information: section name: .tlwcxe
            Source: DC2zX44MQr.dllStatic PE information: section name: .get
            Source: DC2zX44MQr.dllStatic PE information: section name: .hzrd
            Source: DC2zX44MQr.dllStatic PE information: section name: .qzu
            Source: DC2zX44MQr.dllStatic PE information: section name: .nhglos
            Source: DC2zX44MQr.dllStatic PE information: section name: .itzo
            Source: DC2zX44MQr.dllStatic PE information: section name: .nmsaom
            Source: DC2zX44MQr.dllStatic PE information: section name: .rvhi
            Source: DC2zX44MQr.dllStatic PE information: section name: .ucrzce
            Source: DC2zX44MQr.dllStatic PE information: section name: .ijc
            Source: DC2zX44MQr.dllStatic PE information: section name: .ohvs
            Source: DC2zX44MQr.dllStatic PE information: section name: .rlvrc
            Source: DC2zX44MQr.dllStatic PE information: section name: .yjv
            Source: DC2zX44MQr.dllStatic PE information: section name: .clbcyy
            Source: DC2zX44MQr.dllStatic PE information: section name: .xcyn
            Source: DC2zX44MQr.dllStatic PE information: section name: .boqx
            Source: DC2zX44MQr.dllStatic PE information: section name: .rnlia
            Source: DC2zX44MQr.dllStatic PE information: section name: .ctip
            Source: DC2zX44MQr.dllStatic PE information: section name: .fkv
            Source: DC2zX44MQr.dllStatic PE information: section name: .pczrv
            Source: DC2zX44MQr.dllStatic PE information: section name: .ibglr
            Source: DC2zX44MQr.dllStatic PE information: section name: .uirkq
            Source: DC2zX44MQr.dllStatic PE information: section name: .xmo
            Source: DmNotificationBroker.exe.5.drStatic PE information: section name: .imrsiv
            Source: Utilman.exe.5.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe.5.drStatic PE information: section name: .imrsiv
            Source: wermgr.exe.5.drStatic PE information: section name: .didat
            Source: mstsc.exe.5.drStatic PE information: section name: .didat
            Source: PasswordOnWakeSettingFlyout.exe.5.drStatic PE information: section name: .imrsiv
            Source: psr.exe.5.drStatic PE information: section name: .didat
            Source: DUI70.dll.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll.5.drStatic PE information: section name: .yby
            Source: DUI70.dll.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll.5.drStatic PE information: section name: .get
            Source: DUI70.dll.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll.5.drStatic PE information: section name: .rvhi
            Source: DUI70.dll.5.drStatic PE information: section name: .ucrzce
            Source: DUI70.dll.5.drStatic PE information: section name: .ijc
            Source: DUI70.dll.5.drStatic PE information: section name: .ohvs
            Source: DUI70.dll.5.drStatic PE information: section name: .rlvrc
            Source: DUI70.dll.5.drStatic PE information: section name: .yjv
            Source: DUI70.dll.5.drStatic PE information: section name: .clbcyy
            Source: DUI70.dll.5.drStatic PE information: section name: .xcyn
            Source: DUI70.dll.5.drStatic PE information: section name: .boqx
            Source: DUI70.dll.5.drStatic PE information: section name: .rnlia
            Source: DUI70.dll.5.drStatic PE information: section name: .ctip
            Source: DUI70.dll.5.drStatic PE information: section name: .fkv
            Source: DUI70.dll.5.drStatic PE information: section name: .pczrv
            Source: DUI70.dll.5.drStatic PE information: section name: .ibglr
            Source: DUI70.dll.5.drStatic PE information: section name: .uirkq
            Source: DUI70.dll.5.drStatic PE information: section name: .xmo
            Source: DUI70.dll.5.drStatic PE information: section name: .req
            Source: WINSTA.dll.5.drStatic PE information: section name: .qkm
            Source: WINSTA.dll.5.drStatic PE information: section name: .cvjb
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlmkv
            Source: WINSTA.dll.5.drStatic PE information: section name: .wucsxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .wnx
            Source: WINSTA.dll.5.drStatic PE information: section name: .weqy
            Source: WINSTA.dll.5.drStatic PE information: section name: .yby
            Source: WINSTA.dll.5.drStatic PE information: section name: .ormx
            Source: WINSTA.dll.5.drStatic PE information: section name: .dhclu
            Source: WINSTA.dll.5.drStatic PE information: section name: .xmiul
            Source: WINSTA.dll.5.drStatic PE information: section name: .tlwcxe
            Source: WINSTA.dll.5.drStatic PE information: section name: .get
            Source: WINSTA.dll.5.drStatic PE information: section name: .hzrd
            Source: WINSTA.dll.5.drStatic PE information: section name: .qzu
            Source: WINSTA.dll.5.drStatic PE information: section name: .nhglos
            Source: WINSTA.dll.5.drStatic PE information: section name: .itzo
            Source: WINSTA.dll.5.drStatic PE information: section name: .nmsaom
            Source: WINSTA.dll.5.drStatic PE information: section name: .rvhi
            Source: WINSTA.dll.5.drStatic PE information: section name: .ucrzce
            Source: WINSTA.dll.5.drStatic PE information: section name: .ijc
            Source: WINSTA.dll.5.drStatic PE information: section name: .ohvs
            Source: WINSTA.dll.5.drStatic PE information: section name: .rlvrc
            Source: WINSTA.dll.5.drStatic PE information: section name: .yjv
            Source: WINSTA.dll.5.drStatic PE information: section name: .clbcyy
            Source: WINSTA.dll.5.drStatic PE information: section name: .xcyn
            Source: WINSTA.dll.5.drStatic PE information: section name: .boqx
            Source: WINSTA.dll.5.drStatic PE information: section name: .rnlia
            Source: WINSTA.dll.5.drStatic PE information: section name: .ctip
            Source: WINSTA.dll.5.drStatic PE information: section name: .fkv
            Source: WINSTA.dll.5.drStatic PE information: section name: .pczrv
            Source: WINSTA.dll.5.drStatic PE information: section name: .ibglr
            Source: WINSTA.dll.5.drStatic PE information: section name: .uirkq
            Source: WINSTA.dll.5.drStatic PE information: section name: .xmo
            Source: WINSTA.dll.5.drStatic PE information: section name: .jki
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll0.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll0.5.drStatic PE information: section name: .yby
            Source: DUI70.dll0.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll0.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll0.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .get
            Source: DUI70.dll0.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll0.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll0.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll0.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll0.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll0.5.drStatic PE information: section name: .rvhi
            Source: DUI70.dll0.5.drStatic PE information: section name: .ucrzce
            Source: DUI70.dll0.5.drStatic PE information: section name: .ijc
            Source: DUI70.dll0.5.drStatic PE information: section name: .ohvs
            Source: DUI70.dll0.5.drStatic PE information: section name: .rlvrc
            Source: DUI70.dll0.5.drStatic PE information: section name: .yjv
            Source: DUI70.dll0.5.drStatic PE information: section name: .clbcyy
            Source: DUI70.dll0.5.drStatic PE information: section name: .xcyn
            Source: DUI70.dll0.5.drStatic PE information: section name: .boqx
            Source: DUI70.dll0.5.drStatic PE information: section name: .rnlia
            Source: DUI70.dll0.5.drStatic PE information: section name: .ctip
            Source: DUI70.dll0.5.drStatic PE information: section name: .fkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .pczrv
            Source: DUI70.dll0.5.drStatic PE information: section name: .ibglr
            Source: DUI70.dll0.5.drStatic PE information: section name: .uirkq
            Source: DUI70.dll0.5.drStatic PE information: section name: .xmo
            Source: DUI70.dll0.5.drStatic PE information: section name: .oni
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll.5.drStatic PE information: section name: .wnx
            Source: OLEACC.dll.5.drStatic PE information: section name: .weqy
            Source: OLEACC.dll.5.drStatic PE information: section name: .yby
            Source: OLEACC.dll.5.drStatic PE information: section name: .ormx
            Source: OLEACC.dll.5.drStatic PE information: section name: .dhclu
            Source: OLEACC.dll.5.drStatic PE information: section name: .xmiul
            Source: OLEACC.dll.5.drStatic PE information: section name: .tlwcxe
            Source: OLEACC.dll.5.drStatic PE information: section name: .get
            Source: OLEACC.dll.5.drStatic PE information: section name: .hzrd
            Source: OLEACC.dll.5.drStatic PE information: section name: .qzu
            Source: OLEACC.dll.5.drStatic PE information: section name: .nhglos
            Source: OLEACC.dll.5.drStatic PE information: section name: .itzo
            Source: OLEACC.dll.5.drStatic PE information: section name: .nmsaom
            Source: OLEACC.dll.5.drStatic PE information: section name: .rvhi
            Source: OLEACC.dll.5.drStatic PE information: section name: .ucrzce
            Source: OLEACC.dll.5.drStatic PE information: section name: .ijc
            Source: OLEACC.dll.5.drStatic PE information: section name: .ohvs
            Source: OLEACC.dll.5.drStatic PE information: section name: .rlvrc
            Source: OLEACC.dll.5.drStatic PE information: section name: .yjv
            Source: OLEACC.dll.5.drStatic PE information: section name: .clbcyy
            Source: OLEACC.dll.5.drStatic PE information: section name: .xcyn
            Source: OLEACC.dll.5.drStatic PE information: section name: .boqx
            Source: OLEACC.dll.5.drStatic PE information: section name: .rnlia
            Source: OLEACC.dll.5.drStatic PE information: section name: .ctip
            Source: OLEACC.dll.5.drStatic PE information: section name: .fkv
            Source: OLEACC.dll.5.drStatic PE information: section name: .pczrv
            Source: OLEACC.dll.5.drStatic PE information: section name: .ibglr
            Source: OLEACC.dll.5.drStatic PE information: section name: .uirkq
            Source: OLEACC.dll.5.drStatic PE information: section name: .xmo
            Source: OLEACC.dll.5.drStatic PE information: section name: .nncdb
            Source: MFC42u.dll.5.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.5.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.5.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.5.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.5.drStatic PE information: section name: .wnx
            Source: MFC42u.dll.5.drStatic PE information: section name: .weqy
            Source: MFC42u.dll.5.drStatic PE information: section name: .yby
            Source: MFC42u.dll.5.drStatic PE information: section name: .ormx
            Source: MFC42u.dll.5.drStatic PE information: section name: .dhclu
            Source: MFC42u.dll.5.drStatic PE information: section name: .xmiul
            Source: MFC42u.dll.5.drStatic PE information: section name: .tlwcxe
            Source: MFC42u.dll.5.drStatic PE information: section name: .get
            Source: MFC42u.dll.5.drStatic PE information: section name: .hzrd
            Source: MFC42u.dll.5.drStatic PE information: section name: .qzu
            Source: MFC42u.dll.5.drStatic PE information: section name: .nhglos
            Source: MFC42u.dll.5.drStatic PE information: section name: .itzo
            Source: MFC42u.dll.5.drStatic PE information: section name: .nmsaom
            Source: MFC42u.dll.5.drStatic PE information: section name: .rvhi
            Source: MFC42u.dll.5.drStatic PE information: section name: .ucrzce
            Source: MFC42u.dll.5.drStatic PE information: section name: .ijc
            Source: MFC42u.dll.5.drStatic PE information: section name: .ohvs
            Source: MFC42u.dll.5.drStatic PE information: section name: .rlvrc
            Source: MFC42u.dll.5.drStatic PE information: section name: .yjv
            Source: MFC42u.dll.5.drStatic PE information: section name: .clbcyy
            Source: MFC42u.dll.5.drStatic PE information: section name: .xcyn
            Source: MFC42u.dll.5.drStatic PE information: section name: .boqx
            Source: MFC42u.dll.5.drStatic PE information: section name: .rnlia
            Source: MFC42u.dll.5.drStatic PE information: section name: .ctip
            Source: MFC42u.dll.5.drStatic PE information: section name: .fkv
            Source: MFC42u.dll.5.drStatic PE information: section name: .pczrv
            Source: MFC42u.dll.5.drStatic PE information: section name: .ibglr
            Source: MFC42u.dll.5.drStatic PE information: section name: .uirkq
            Source: MFC42u.dll.5.drStatic PE information: section name: .xmo
            Source: MFC42u.dll.5.drStatic PE information: section name: .nhpi
            Source: wer.dll.5.drStatic PE information: section name: .qkm
            Source: wer.dll.5.drStatic PE information: section name: .cvjb
            Source: wer.dll.5.drStatic PE information: section name: .tlmkv
            Source: wer.dll.5.drStatic PE information: section name: .wucsxe
            Source: wer.dll.5.drStatic PE information: section name: .wnx
            Source: wer.dll.5.drStatic PE information: section name: .weqy
            Source: wer.dll.5.drStatic PE information: section name: .yby
            Source: wer.dll.5.drStatic PE information: section name: .ormx
            Source: wer.dll.5.drStatic PE information: section name: .dhclu
            Source: wer.dll.5.drStatic PE information: section name: .xmiul
            Source: wer.dll.5.drStatic PE information: section name: .tlwcxe
            Source: wer.dll.5.drStatic PE information: section name: .get
            Source: wer.dll.5.drStatic PE information: section name: .hzrd
            Source: wer.dll.5.drStatic PE information: section name: .qzu
            Source: wer.dll.5.drStatic PE information: section name: .nhglos
            Source: wer.dll.5.drStatic PE information: section name: .itzo
            Source: wer.dll.5.drStatic PE information: section name: .nmsaom
            Source: wer.dll.5.drStatic PE information: section name: .rvhi
            Source: wer.dll.5.drStatic PE information: section name: .ucrzce
            Source: wer.dll.5.drStatic PE information: section name: .ijc
            Source: wer.dll.5.drStatic PE information: section name: .ohvs
            Source: wer.dll.5.drStatic PE information: section name: .rlvrc
            Source: wer.dll.5.drStatic PE information: section name: .yjv
            Source: wer.dll.5.drStatic PE information: section name: .clbcyy
            Source: wer.dll.5.drStatic PE information: section name: .xcyn
            Source: wer.dll.5.drStatic PE information: section name: .boqx
            Source: wer.dll.5.drStatic PE information: section name: .rnlia
            Source: wer.dll.5.drStatic PE information: section name: .ctip
            Source: wer.dll.5.drStatic PE information: section name: .fkv
            Source: wer.dll.5.drStatic PE information: section name: .pczrv
            Source: wer.dll.5.drStatic PE information: section name: .ibglr
            Source: wer.dll.5.drStatic PE information: section name: .uirkq
            Source: wer.dll.5.drStatic PE information: section name: .xmo
            Source: wer.dll.5.drStatic PE information: section name: .hrnn
            Source: credui.dll.5.drStatic PE information: section name: .qkm
            Source: credui.dll.5.drStatic PE information: section name: .cvjb
            Source: credui.dll.5.drStatic PE information: section name: .tlmkv
            Source: credui.dll.5.drStatic PE information: section name: .wucsxe
            Source: credui.dll.5.drStatic PE information: section name: .wnx
            Source: credui.dll.5.drStatic PE information: section name: .weqy
            Source: credui.dll.5.drStatic PE information: section name: .yby
            Source: credui.dll.5.drStatic PE information: section name: .ormx
            Source: credui.dll.5.drStatic PE information: section name: .dhclu
            Source: credui.dll.5.drStatic PE information: section name: .xmiul
            Source: credui.dll.5.drStatic PE information: section name: .tlwcxe
            Source: credui.dll.5.drStatic PE information: section name: .get
            Source: credui.dll.5.drStatic PE information: section name: .hzrd
            Source: credui.dll.5.drStatic PE information: section name: .qzu
            Source: credui.dll.5.drStatic PE information: section name: .nhglos
            Source: credui.dll.5.drStatic PE information: section name: .itzo
            Source: credui.dll.5.drStatic PE information: section name: .nmsaom
            Source: credui.dll.5.drStatic PE information: section name: .rvhi
            Source: credui.dll.5.drStatic PE information: section name: .ucrzce
            Source: credui.dll.5.drStatic PE information: section name: .ijc
            Source: credui.dll.5.drStatic PE information: section name: .ohvs
            Source: credui.dll.5.drStatic PE information: section name: .rlvrc
            Source: credui.dll.5.drStatic PE information: section name: .yjv
            Source: credui.dll.5.drStatic PE information: section name: .clbcyy
            Source: credui.dll.5.drStatic PE information: section name: .xcyn
            Source: credui.dll.5.drStatic PE information: section name: .boqx
            Source: credui.dll.5.drStatic PE information: section name: .rnlia
            Source: credui.dll.5.drStatic PE information: section name: .ctip
            Source: credui.dll.5.drStatic PE information: section name: .fkv
            Source: credui.dll.5.drStatic PE information: section name: .pczrv
            Source: credui.dll.5.drStatic PE information: section name: .ibglr
            Source: credui.dll.5.drStatic PE information: section name: .uirkq
            Source: credui.dll.5.drStatic PE information: section name: .xmo
            Source: credui.dll.5.drStatic PE information: section name: .efn
            Source: DUI70.dll1.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll1.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll1.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .wnx
            Source: DUI70.dll1.5.drStatic PE information: section name: .weqy
            Source: DUI70.dll1.5.drStatic PE information: section name: .yby
            Source: DUI70.dll1.5.drStatic PE information: section name: .ormx
            Source: DUI70.dll1.5.drStatic PE information: section name: .dhclu
            Source: DUI70.dll1.5.drStatic PE information: section name: .xmiul
            Source: DUI70.dll1.5.drStatic PE information: section name: .tlwcxe
            Source: DUI70.dll1.5.drStatic PE information: section name: .get
            Source: DUI70.dll1.5.drStatic PE information: section name: .hzrd
            Source: DUI70.dll1.5.drStatic PE information: section name: .qzu
            Source: DUI70.dll1.5.drStatic PE information: section name: .nhglos
            Source: DUI70.dll1.5.drStatic PE information: section name: .itzo
            Source: DUI70.dll1.5.drStatic PE information: section name: .nmsaom
            Source: DUI70.dll1.5.drStatic PE information: section name: .rvhi
            Source: DUI70.dll1.5.drStatic PE information: section name: .ucrzce
            Source: DUI70.dll1.5.drStatic PE information: section name: .ijc
            Source: DUI70.dll1.5.drStatic PE information: section name: .ohvs
            Source: DUI70.dll1.5.drStatic PE information: section name: .rlvrc
            Source: DUI70.dll1.5.drStatic PE information: section name: .yjv
            Source: DUI70.dll1.5.drStatic PE information: section name: .clbcyy
            Source: DUI70.dll1.5.drStatic PE information: section name: .xcyn
            Source: DUI70.dll1.5.drStatic PE information: section name: .boqx
            Source: DUI70.dll1.5.drStatic PE information: section name: .rnlia
            Source: DUI70.dll1.5.drStatic PE information: section name: .ctip
            Source: DUI70.dll1.5.drStatic PE information: section name: .fkv
            Source: DUI70.dll1.5.drStatic PE information: section name: .pczrv
            Source: DUI70.dll1.5.drStatic PE information: section name: .ibglr
            Source: DUI70.dll1.5.drStatic PE information: section name: .uirkq
            Source: DUI70.dll1.5.drStatic PE information: section name: .xmo
            Source: DUI70.dll1.5.drStatic PE information: section name: .udkto
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wnx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .weqy
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .yby
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ormx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dhclu
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .xmiul
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .tlwcxe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .get
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hzrd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qzu
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nhglos
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .itzo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nmsaom
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rvhi
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ucrzce
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ijc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ohvs
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rlvrc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .yjv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .clbcyy
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .xcyn
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .boqx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rnlia
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ctip
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fkv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .pczrv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ibglr
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .uirkq
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .xmo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fmi
            Source: VERSION.dll.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.5.drStatic PE information: section name: .wnx
            Source: VERSION.dll.5.drStatic PE information: section name: .weqy
            Source: VERSION.dll.5.drStatic PE information: section name: .yby
            Source: VERSION.dll.5.drStatic PE information: section name: .ormx
            Source: VERSION.dll.5.drStatic PE information: section name: .dhclu
            Source: VERSION.dll.5.drStatic PE information: section name: .xmiul
            Source: VERSION.dll.5.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll.5.drStatic PE information: section name: .get
            Source: VERSION.dll.5.drStatic PE information: section name: .hzrd
            Source: VERSION.dll.5.drStatic PE information: section name: .qzu
            Source: VERSION.dll.5.drStatic PE information: section name: .nhglos
            Source: VERSION.dll.5.drStatic PE information: section name: .itzo
            Source: VERSION.dll.5.drStatic PE information: section name: .nmsaom
            Source: VERSION.dll.5.drStatic PE information: section name: .rvhi
            Source: VERSION.dll.5.drStatic PE information: section name: .ucrzce
            Source: VERSION.dll.5.drStatic PE information: section name: .ijc
            Source: VERSION.dll.5.drStatic PE information: section name: .ohvs
            Source: VERSION.dll.5.drStatic PE information: section name: .rlvrc
            Source: VERSION.dll.5.drStatic PE information: section name: .yjv
            Source: VERSION.dll.5.drStatic PE information: section name: .clbcyy
            Source: VERSION.dll.5.drStatic PE information: section name: .xcyn
            Source: VERSION.dll.5.drStatic PE information: section name: .boqx
            Source: VERSION.dll.5.drStatic PE information: section name: .rnlia
            Source: VERSION.dll.5.drStatic PE information: section name: .ctip
            Source: VERSION.dll.5.drStatic PE information: section name: .fkv
            Source: VERSION.dll.5.drStatic PE information: section name: .pczrv
            Source: VERSION.dll.5.drStatic PE information: section name: .ibglr
            Source: VERSION.dll.5.drStatic PE information: section name: .uirkq
            Source: VERSION.dll.5.drStatic PE information: section name: .xmo
            Source: VERSION.dll.5.drStatic PE information: section name: .okbt
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40EBEA0 LoadLibraryW,GetProcAddress,GetProcAddress,
            Source: DUI70.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x18312b
            Source: DUI70.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x17960c
            Source: WTSAPI32.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x130bc3
            Source: DC2zX44MQr.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x136b0f
            Source: WINSTA.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1382ec
            Source: wer.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135c0e
            Source: DUI70.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x175fcb
            Source: VERSION.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13d91d
            Source: credui.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1357c2
            Source: MFC42u.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x1426da
            Source: OLEACC.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13ea9a
            Source: DmNotificationBroker.exe.5.drStatic PE information: 0xF8A808F8 [Tue Mar 14 06:45:12 2102 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rm4w0\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mJLa\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EwdQnyo\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\sBx0fm\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pZCYq8TUy\credui.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\sBx0fm\psr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KbLvcSLVf\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\WkAB\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xlPP\wermgr.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xlPP\wer.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A415C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40DF5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E39A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40DCE48 IsIconic,GetWindowPlacement,GetLastError,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40D9A6C IsIconic,GetWindowPlacement,GetWindowRect,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40DCF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E1B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E2F5C IsWindowVisible,IsIconic,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E2884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40E04F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 4492Thread sleep count: 33 > 30
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sBx0fm\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sBx0fm\psr.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FA7BC4 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: jne 00007FF776FA7CE0h
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FABE54 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,CompareStringW,FindNextFileW,FindClose,FindClose,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB1BA0 FindFirstFileExW,_wcsicmp,_wcsicmp,FindNextFileW,GetLastError,GetLastError,FindClose,
            Source: explorer.exe, 00000005.00000000.272660584.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000005.00000000.272660584.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000005.00000000.261174760.000000000E9FF000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: explorer.exe, 00000005.00000000.268107178.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.259807605.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
            Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
            Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000005.00000000.269963872.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeCode function: 35_2_00007FF6CB022110 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A40EBEA0 LoadLibraryW,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D51124 SysFreeString,GetProcessHeap,HeapFree,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF686902780 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF686902AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D57330 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D575B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984CD10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984CF30 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C3C98C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C3C710 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeCode function: 35_2_00007FF6CB026340 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeCode function: 35_2_00007FF6CB026630 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB2B00 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FB3140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A41F2264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAE1CE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFFAC2B2A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeCode function: 38_2_00007FF776FAAE50 GetFileSecurityW,GetLastError,GetFileSecurityW,GetLastError,GetSecurityDescriptorDacl,GetLastError,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetEntriesInAclW,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetFileSecurityW,GetLastError,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,LocalFree,CloseHandle,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF7198450A4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
            Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
            Source: explorer.exe, 00000005.00000000.286145376.0000000005F40000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.265800620.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
            Source: explorer.exe, 00000005.00000000.253485246.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.272937253.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\xlPP\wermgr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: GetThreadPreferredUILanguages,GetLastError,GetThreadPreferredUILanguages,GetLastError,GetLocaleInfoEx,GetLastError,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: GetThreadPreferredUILanguages,GetLastError,GetThreadPreferredUILanguages,GetLastError,GetLocaleInfoEx,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF686902910 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exeCode function: 40_2_00007FF7A41EF5EC memset,GetVersionExW,GetVersionExW,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D54A50 GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF6869021B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exeCode function: 19_2_00007FF6869022F0 RpcBindingFree,
            Source: C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exeCode function: 25_2_00007FF644D56AB4 memset,CreateBindCtx,StringFromCLSID,MkParseDisplayName,CoTaskMemFree,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984B230 InitProcessPriv,InitThread,RegisterPVLBehaviorFactory,UnInitThread,UnInitProcessPriv,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?SetAccessible@Element@DirectUI@@QEAAJ_N@Z,?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ,?GetClassInfoPtr@HWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ,GetAncestor,SetWindowPos,AccessibleObjectFromWindow,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,new,LoadCursorW,SetCursor,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StartMessagePump,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,UnInitThread,UnInitProcessPriv,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984A8A0 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Click@TouchButton@DirectUI@@SA?AVUID@@XZ,StrToID,StrToID,StrToID,?SliderUpdated@TouchSlider@DirectUI@@SA?AVUID@@XZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?IsDescendent@Element@DirectUI@@QEAA_NPEAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?OnEvent@Element@DirectUI@@UEAAXPEAUEvent@2@@Z,
            Source: C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exeCode function: 28_2_00007FF71984C7B0 ?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,free,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C35B60 ?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,free,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C34830 InitProcessPriv,InitThread,RegisterPVLBehaviorFactory,UnInitThread,UnInitProcessPriv,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?SetAccessible@Element@DirectUI@@QEAAJ_N@Z,?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ,?GetClassInfoPtr@HWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ,GetAncestor,SetWindowPos,AccessibleObjectFromWindow,new,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,new,LoadCursorW,SetCursor,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StartMessagePump,?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,UnInitThread,UnInitProcessPriv,
            Source: C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exeCode function: 33_2_00007FF792C33EA4 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Click@TouchButton@DirectUI@@SA?AVUID@@XZ,StrToID,StrToID,StrToID,?SliderUpdated@TouchSlider@DirectUI@@SA?AVUID@@XZ,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?IsDescendent@Element@DirectUI@@QEAA_NPEAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?OnEvent@Element@DirectUI@@UEAAXPEAUEvent@2@@Z,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Windows Service1Windows Service1Masquerading1Input Capture1System Time Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection312Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery35Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492503 Sample: DC2zX44MQr Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\xlPP\wer.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->37 dropped 39 17 other files (5 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 EaseOfAccessDialog.exe 19->25         started        27 Utilman.exe 19->27         started        29 RdpSa.exe 19->29         started        31 11 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DC2zX44MQr.dll68%VirustotalBrowse
            DC2zX44MQr.dll80%ReversingLabsWin64.Infostealer.Dridex
            DC2zX44MQr.dll100%AviraHEUR/AGEN.1114452
            DC2zX44MQr.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\sBx0fm\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\xlPP\wer.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\mJLa\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\rm4w0\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\sBx0fm\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\xlPP\wer.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\mJLa\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\rm4w0\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe0%ReversingLabs
            C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe0%ReversingLabs
            C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exe0%ReversingLabs
            C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            33.2.EaseOfAccessDialog.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.DmNotificationBroker.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            38.2.wermgr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            25.2.RdpSa.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            40.2.mstsc.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            35.2.DevicePairingWizard.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.Utilman.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.301625315.0000000006840000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:492503
              Start date:28.09.2021
              Start time:19:13:08
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 14m 18s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:DC2zX44MQr (renamed file extension from none to dll)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:41
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@45/21@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 39.2% (good quality ratio 25.9%)
              • Quality average: 52.1%
              • Quality standard deviation: 43.6%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for rundll32
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.209.183, 209.197.3.8, 20.199.120.85, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62, 20.199.120.182
              • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\EwdQnyo\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1523712
              Entropy (8bit):5.861496486431302
              Encrypted:false
              SSDEEP:12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1sr:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:C63D9096C976C275357356F7A08F8CDE
              SHA1:1C35F2161C931B04E8A41D42C9CD1CA76D8FE41E
              SHA-256:AF746CDAE49B2A4E18F9BCC2517DA92AD8FEED1FE1F4D96EE15B1D6E003C8852
              SHA-512:84944B6F7E59E957437EC02B3E555AC0833163DC1F19EBC0DE518AF89245310E49EF4C87396641C0B41A73E1DF352D4BA8831EDE20AD424365F4AAFC4D8C1346
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ......... ......p..........@.............................@......@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):32256
              Entropy (8bit):5.250876383836324
              Encrypted:false
              SSDEEP:768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
              MD5:1643D5735213BC89C0012F0E48253765
              SHA1:D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
              SHA-256:4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
              SHA-512:F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
              Malicious:false
              Antivirus:
              • Antivirus: Virustotal, Detection: 0%, Browse
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d................."......*...V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(.......*.................. ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\KbLvcSLVf\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1523712
              Entropy (8bit):5.861475842348347
              Encrypted:false
              SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ12Bh:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb2
              MD5:1B515CB5B54D379E258F3BE018F2DCC5
              SHA1:448821262C4B6775152F3D1FC3F70A125A7A4A78
              SHA-256:65E9D5DC7D6ECAB9FEB419B641726C56772C951270750ECC51317C305AB62CAC
              SHA-512:5A0A16531FFEE2A563933EE571C913D1EF2557D3C57EC177D27F8798438062C828EC7D4BFACD32E315F5D150239A3029B67C1B99D6B391461F3C1E6E88E6A7EB
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ......... ......p..........@.............................@......@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):98304
              Entropy (8bit):5.996546491031358
              Encrypted:false
              SSDEEP:1536:3bo99g4+4G8mMM+nCA+o6UJMUHznV80KCt1p7Gx:LXH4GvNKAUHR80KCt/G
              MD5:C91CCEF3884CFDE746B4BAEF5F1BC75C
              SHA1:9A7E17BA64FE1842E904D4019D9BB9B005E61E55
              SHA-256:E6C9C88491EF6FB4B4DAFAC3276C8E2A3B2BC3C4D7825F4EAA3AC99E1801195B
              SHA-512:431754EC35871B2ED1F5E9FC621F24B6187720C0562D0ABDC9232A063DA1E8419A07CDC1740A3B433A80BA15FF25F0EAE0E5B331985A7B8ABC9CE8E73CBC210E
              Malicious:false
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....@..@..@..8@..@o..A..@o..A..@o..A..@o..A..@..@4.@o..A..@o.T@..@o..A..@Rich..@................PE..d....0..........."............................@....................................R................ .......................................L..,.......x.......................d...p...T............................................................................text............................... ..`.imrsiv..................................rdata...x.......z..................@..@.data................P..............@....pdata...............Z..............@..@.rsrc...x............d..............@..@.reloc..d............~..............@..B........................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\WkAB\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1523712
              Entropy (8bit):5.861361447985384
              Encrypted:false
              SSDEEP:12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1m5:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0E2C09A45BC0ED953B1A20E3DDD9D186
              SHA1:80317AB8392B224A9091359C0A16DA40D35053F5
              SHA-256:2E2F9B6F590F13C1834BA38AFFE06DAA48AA7A0994EEE493D5011B336B0CC6A9
              SHA-512:9F9EA4D4E62D0863212B227B2DF45BFD751D43BC5E674BADD730DDB1FD0E67AC9F99D0B4F8B209B0B4AA73467DDCEB29075E6BEFA7C9620A3CA056E00DD0C8F5
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ......... ......p..........@.............................@......@lx}..b.............................................dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\WkAB\PasswordOnWakeSettingFlyout.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):43472
              Entropy (8bit):6.224421457593777
              Encrypted:false
              SSDEEP:768:+pH9d9NT4uJO0qK/lEbrDGe2gfBTDxxsg652PIBmRncHiDgcZd3cxe1PIc:EzNT4GpHaTDvst2gmRnVdZVcgPIc
              MD5:F0C8675F98E397383A112CC8ED5B97DA
              SHA1:644A87D9CEE0BC576402573224F6695AA45196D3
              SHA-256:0E9C85E4833BB1BF45CB66AA3B021A2CDA6074333C2217F8FFB5360B63719374
              SHA-512:ABF6B2BB5BB48C1C2E54C01656D3C448E8CD4159686F285D67CFF805A757FFAF6B0D7D9DD579786B739AD90ECB1FB6D43A181CBEBBC27FEA3504D48B61C10A5C
              Malicious:false
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.....J...J...J.q_J...J.m.K...J.m.K...J.m.K...J.m.K...J...J...J.m.K...J.m3J...J.m.K...JRich...J................PE..d....Z..........."......B...F.......I.........@....................................*}............... ......................................@...................,........#...........|..T...........................0q..............0r...............................text....A.......B.................. ..`.imrsiv......`...........................rdata..8$...p...&...F..............@..@.data................l..............@....pdata..,............n..............@..@.rsrc................t..............@..@.reloc..............................@..B........................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\bQkmObl\RDVGHelper.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):107008
              Entropy (8bit):6.213211715541241
              Encrypted:false
              SSDEEP:1536:jZPv9YEIT8g15BZNWNBWNK5/FzUJmufD6o6ffv+Difx1P4dirH+Z3sUS+CvilU/s:lPBLBBbWDwff22J1Puq+y+HUk
              MD5:0BF1E2262C95164A0B244174167FBD85
              SHA1:81BD08AD31BF2665F298406F843924588BB7606B
              SHA-256:6B35C354C480D232A96EF73EABA268EF7D94F30A3D3A1161B69081B048A27E29
              SHA-512:FD01664A377359E72A67F52E8DFFDD237E24F8ACC158B3A478F71CAAC1CE2EDDB19B15E1FC66CB73E77DDED564D6A98FD3064BDA20419D8C949505457721BF5C
              Malicious:false
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..................g......g......g......g...........g......g.w....g......Rich...................PE..d......o.........."......B...b......`G.........@..........................................`.......... ..........................................................T...............$.......T............................g...............h...............................text....@.......B.................. ..`.rdata...A...`...B...F..............@..@.data...............................@....pdata..T...........................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\bQkmObl\WTSAPI32.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1241088
              Entropy (8bit):5.503813896207835
              Encrypted:false
              SSDEEP:12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:F2A29CC94479DC03351404004C40E18A
              SHA1:778E570E30ABD2DCAEFEDCC2D24F35F81D56AC5E
              SHA-256:BB734D97EF436A89FC93C426141CDE1A5A73C73B7E10CBEB667105C44823CA5E
              SHA-512:7758DDA6DC6D6E1AE63A6F7D84C1EBA50470DAD48052A4AA7609BDF4AB33BF5253FB7368F0A78747F78D19F4D77E0ACD7DE9DE53B42C3863159513ABB031988A
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):92160
              Entropy (8bit):5.664138088677901
              Encrypted:false
              SSDEEP:1536:D/BmrFjio5/vzDSPwiEKi3xGyibqZ3qOT3:9mp5SwiEKWZiTo3
              MD5:E23643C785D498FF73B5C9D7EA173C3D
              SHA1:56296F1D29FC2DCBFAA1D991C87B10968C6D3882
              SHA-256:40F423488FC0C13DED29109F8CC1C0D2CCE52ECB1BD01939EF774FE31014E0F4
              SHA-512:22E29A06F19E2DA941A707B8DA7115E0F5962617295CC36395A8E9B2A98F0239B6519B4BF4AB1DC671DEF8CD558E8F59F4E50C63130D392D1E085BBF6B710914
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a...a...a...h...o......b......r......i......j...a..........c.....j.`......`...Richa...................PE..d...x.1".........."......\...........b.........@.....................................H....`.......... ..............................................................................|..T...........................`r..............`s..8............................text....[.......\.................. ..`.rdata...-...p.......`..............@..@.data... ...........................@....pdata..............................@..@.rsrc...............................@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\mJLa\MFC42u.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1265664
              Entropy (8bit):5.5179792497477465
              Encrypted:false
              SSDEEP:12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1hBB:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb7
              MD5:ACAA18F0CA1472EBA6752C43A76F63D4
              SHA1:1BD14A5CB0788853667F25EE5DC84DBABFB1E69A
              SHA-256:7BBCEA1DD21373D8A86FD2A6048971967CA3E410A7D5799222474DF7A97D66AB
              SHA-512:FA56F548843551898F932B285D83ED3238138F246E0FA642EC6719C5886DDF4B71A1D65A04707EA0301B767543CB8C8EA3DAA478C98D4039B5FAB35183B0E57B
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." .........0......p..........@.............................P......@lx}..b..............................................l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\pZCYq8TUy\credui.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1241088
              Entropy (8bit):5.497178010630534
              Encrypted:false
              SSDEEP:12288:kVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:BfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:092BC1900DB5A3970E41A4A850EC783E
              SHA1:D89437CB8A48260E34A0D0C44768F7662CAEB2F4
              SHA-256:F151BAEF206217841A78357977495815717409F349365DB9FFD4DB6166E83CDD
              SHA-512:414B9DFE04E94B275A48EFE03DA688A0AAF80B0DFF9B461A29C92E4D8E5799371A937F5B13F520B16ABD465E29F1D38713DB1C825F4BB282CC9BAF1868C6F51B
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):3640832
              Entropy (8bit):5.884402821447862
              Encrypted:false
              SSDEEP:98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
              MD5:3FBB5CD8829E9533D0FF5819DB0444C0
              SHA1:A4A6E4E50421E57EA4745BA44568B107A9369447
              SHA-256:043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
              SHA-512:349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. *..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. *....7..,...b7.............@..B........................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):304640
              Entropy (8bit):6.843015704242449
              Encrypted:false
              SSDEEP:6144:E/Odkrq1AlGra6uFz2LJGRg4kLNnei36cw:As5+FCdUc
              MD5:F87F2E5EBF3FFBA39DF1621B5F8689B5
              SHA1:B4E358BF1BE0DF6D341CA1BC949867D94F13EC07
              SHA-256:06780477637707BEA6317AE81D059A4D75B101542ADFA6DC855287EAEDFC822A
              SHA-512:6E8D60C17396260791898A2914422AFFF2921A4C3D924F56C83ED117B683D3F3AEFB15E234600F3B5375A47C0C6A13F6160B0638CA91663D29DC56067EB5E5B7
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..8m..km..km..kd.Hki..k...jn..k...j{..k...j`..k...jv..km..k3..k...jx..k..$kl..k...jl..kRichm..k........PE..d...1.(i.........."............................@....................................L}....`.......... ......................................(0..,........5......................X.......T............................................................................text............................... ..`.rdata..............................@..@.data...0....p.......X..............@....pdata...............b..............@..@.rsrc....5.......6...l..............@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\rm4w0\OLEACC.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1241088
              Entropy (8bit):5.496643926580779
              Encrypted:false
              SSDEEP:12288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:D3FE50240DC0CB29FD1626AD60D27A33
              SHA1:4CDC09987F4ED88D1A133E384A150AA6B079A9A0
              SHA-256:7AEAAA41996A44EA2A028D695DF30580802B65D8D4B9A3FB26CAE91EFA00E3CF
              SHA-512:70903C4596F5AE1CE905E3CACCCAB75F82A5148766CD002ED4414C63179CDECB34898DF791FF439BB56F20571453057CCB443F93B19A9101D6E3C7FCF7C7905F
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\sBx0fm\VERSION.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1241088
              Entropy (8bit):5.4946364596901
              Encrypted:false
              SSDEEP:12288:RVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:gfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:5361D083DFF1152C4481BAA13FFA6689
              SHA1:68DACC124F275798E5511A815304311F4CC17014
              SHA-256:67DB65C41FEFBE51F18ED9F1A8C6BC09BDEEE7D5507F82446CFA5B7EB8E83F8F
              SHA-512:D500FB3985B472D0AC44A1E78D855FD52CBD5607063D5D451F3DEBA1B6D26FA486B90289E71847D0E3E6F1ECBFD374740656FF3DFB94765FCD092EE0CB64FC85
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\sBx0fm\psr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):600576
              Entropy (8bit):6.4861677167766665
              Encrypted:false
              SSDEEP:12288:B2mS50ICmAX+ASa8wd9Nkmw6cD8pellpco//EH1:B2mlmeFSa8wd9NStApeCoXEH
              MD5:3B8262EB45E790BF7FA648CEE2CCCB7B
              SHA1:EDDD81D1B3FD2EE99E42A43B25BD74D39BB850BC
              SHA-256:D1225E9FD2834BD2EF84EADAA4126020D20F4A0F50321440190C3896E69BD5D8
              SHA-512:A3709D39372CDB6D9C9E58932144CE8BA437C2134EFC9BCD2531708C1515CBAEA5929C220DF25D76785F7594BC5F8541E6ED5330EA3CA12E87C4DA5A2171C435
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.............x......x......x..........x...x......x......xR.....x......Rich....................PE..d....S............".................`..........@....................................h.....`.......... .......................................7..,...............L...............D.......T........................... ...............X...8....7..@....................text...5........................... ..`.rdata..............................@..@.data....m...`.......H..............@....pdata..L............T..............@..@.didat...............j..............@....rsrc................l..............@..@.reloc..D............&..............@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\xlPP\wer.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1245184
              Entropy (8bit):5.502578344059862
              Encrypted:false
              SSDEEP:12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:9E94BC8A0688A10E6CEA3FD9A924C09E
              SHA1:11342B809DF3914361510FE0FE1734804CA268DB
              SHA-256:7984FB0BE2E6A704A2C2299A0519AA14A3CB475B95DEC8C836D054FB8783984A
              SHA-512:0A8BED06C8D8C732AF3639D5261BDDF96895521BA7C2A523B4F7377FA53CE94DF06F2AAD9B47E1B0619A320462BD487DFC32194869E72E0F81FBE822690129DA
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b.............................................W....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\xlPP\wermgr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):209312
              Entropy (8bit):6.796289498157116
              Encrypted:false
              SSDEEP:6144:swTMBboFMSuc/9NPXWPJROo/wVJyB60OHyLC7vs:swTMB02SD/mXO64c2Hyw
              MD5:FF214585BF10206E21EA8EBA202FACFD
              SHA1:1ED4AE92D235497F62610078D51105C4634AFADE
              SHA-256:C48C430EB07ACC2FF8BDDD6057F5C9F72C2E83F67478F1E4A1792AF866711538
              SHA-512:24073F60B886C58F227769B2DD7D1439DF841784E43E753265DA761801FDA58FBEEDAC4A642E0A6ABDA40A6263153FAA1A9540DF6D35E38BF0EE5327EA55B4FE
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(j.jI..jI..jI..c1...I...-..iI...-..qI..jI...H...-..mI...-..`I...-..KI...-..kI...-..kI..RichjI..................PE..d...p............"......,..........`(.........@.............................p.......................`......................................... .... ..0:...............!...`..\...@...T...........................`Q..............`R.. ...t........................text...++.......,.................. ..`.imrsiv......@...........................rdata.......P.......0..............@..@.data...X...........................@....pdata..............................@..@.didat..@...........................@....rsrc...0:... ...<..................@..@.reloc..\....`......................@..B................................................................................................................................................................................
              C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):43008
              Entropy (8bit):5.898730459072675
              Encrypted:false
              SSDEEP:768:2nweYBCOBU+khtTMstnGUEqbfynaDWVVVFZ5i7t4AYRyF:TiaU+1qDya6VV7Z5SudyF
              MD5:0795B6F790F8E52D55F39E593E9C5BBA
              SHA1:6A9991A1762AAC176E3F47AB210CC121E038E4F9
              SHA-256:DF5B698983C3F08265F2FB0B74046CD7E68568190F329C8331CCA4761256D33B
              SHA-512:72D332EBDD1B9B40E18F565DACC200E5B710A91D803D536A0CF127C74622EED12A5EC855B9040F4A1FA8A44584E4E97E7E6C490B88DB3BDAFE61EA3FBF26AB59
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.G.i.).i.).i.).`..o.)...*.k.)...-.}.)...,.j.)...(.|.).i.(..)... .}.).....h.)...+.h.).Richi.).........................PE..d................"......j...@.......q.........@....................................|.....`.......... ..........................................................<...................@...T...........................@...............@................................text....h.......j.................. ..`.rdata..n'.......(...n..............@..@.data...............................@....pdata..<...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\zLYZkwYH\WINSTA.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1245184
              Entropy (8bit):5.512898849354316
              Encrypted:false
              SSDEEP:12288:4VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:tfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:4CD034EF892E4ACE84DE2EDF40C5C4F8
              SHA1:6DC79223A1CBE044E2E4071A301980B19FA3C9BC
              SHA-256:3C508E30EA6B7182E35ADCBC610F7B434B658859871082F4E63F56E7F1A44E2F
              SHA-512:5D7955CBFC760BA57987ABD973CFCED4C8EFE48BD753A25357285041AEF3D4CA2159407BFAB63CE291BFBC791A098CE903E440DE39AC44822C2A5FD41D3AD70A
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.(..DN^.........." ................p..........@....................................@lx}..b.............................................m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Windows\explorer.exe
              File Type:data
              Category:dropped
              Size (bytes):4462
              Entropy (8bit):5.486322521408924
              Encrypted:false
              SSDEEP:48:eBYynUf3KN7ms4dD24d7eDM36jhJQM4BYynU2QMR6CTj5iJWo49pYCUzMmKpH1:eusI3KN2D24ZeDkiwus3/R6WwIo6vo8V
              MD5:E6110DEC2D5794F12E28864B52AA17DF
              SHA1:35BB21C92A1977140B7EC8A0F80AC6FD1947B230
              SHA-256:48CEBC917B864CB68722E1960DDB91D86D4BBAB294CC735FD1FB834B5759E03E
              SHA-512:4E24FF2F1DAEF75435B1BF9F9D3EC1E3B2BFD1FAA4C2C2811FF518E5FA531235F07E47281A33A6D75FB363AF4A0221E512FE9CD565402FEFF1DFC1ED529D1625
              Malicious:false
              Preview: ........................................user.........................................user.....................RSA1...................mL..\...m.k.N..2........,y$}=...S.............Z.D\...CM.]..."[.....b.0Rt.>.`.u..N.n..dK...K&...{..>.{B...^........h?.R}......................z..O........!p..N...<..8.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....?.o..t8......U..dh..8.l..`l............... ...$.B...u?...I.c...x.N.s..t....I.....7.L......A...*.>r.........;.a..... #b9|T*f(..'...|.^?..r..o..:~eM.....x.....Y..:.P.;w\..h...[........{...~<lB.Yb...-.......D...D.n..t..~...u..0....p...~.}.r..b5..v.zW..3.A..5_#;..]Sg...D8.......V"{:i.,..P..Z....$..X.*.x...V.d.)...M.~I.',..s.%...........r.)........:...J.....P..0fa.......ySA}...HF(.i.C.@^@U.s0.E... .....D...G...j..l.:.hT....;.f,....(....].\...IBU..oq...XM.3.].h.....eg.:.o1.T...R...$%.?s.K.n/........K..8............7...`...{.a...RC[.......3..u.m...b..@..J..yq2.K..f....^....q..NNV#.9..G#.M

              Static File Info

              General

              File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Entropy (8bit):5.507980268942348
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:DC2zX44MQr.dll
              File size:1236992
              MD5:94f8317b419e9476120b14a29d9b05d2
              SHA1:f2b03dd4441f3808468bdbb8b26273cfb41b5298
              SHA256:2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
              SHA512:73edd03df050bf72249dafdc8e0c71884d236e713b871c5e8ce9c825937ba1c8447ae791e39400a1d7b5af77aa5ec5d01b6db356003e9616ed7d24e7f78b24a3
              SSDEEP:12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x140041070
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:6668be91e2c948b183827f040944057f

              Entrypoint Preview

              Instruction
              dec eax
              xor eax, eax
              dec eax
              add eax, 5Ah
              dec eax
              mov dword ptr [00073D82h], ecx
              dec eax
              lea ecx, dword ptr [FFFFECABh]
              dec eax
              mov dword ptr [00073D7Ch], edx
              dec eax
              add eax, ecx
              dec esp
              mov dword ptr [00073D92h], ecx
              dec esp
              mov dword ptr [00073DA3h], ebp
              dec esp
              mov dword ptr [00073D7Ch], eax
              dec esp
              mov dword ptr [00073D85h], edi
              dec esp
              mov dword ptr [00073D86h], esi
              dec esp
              mov dword ptr [00073D8Fh], esp
              dec eax
              mov ecx, eax
              dec eax
              sub ecx, 5Ah
              dec eax
              mov dword ptr [00073D89h], esi
              dec eax
              test eax, eax
              je 00007F3530BCA48Fh
              dec eax
              mov dword ptr [00073D45h], esp
              dec eax
              mov dword ptr [00073D36h], ebp
              dec eax
              mov dword ptr [00073D7Fh], ebx
              dec eax
              mov dword ptr [00073D70h], edi
              dec eax
              test eax, eax
              je 00007F3530BCA46Eh
              jmp ecx
              dec eax
              add edi, ecx
              dec eax
              mov dword ptr [FFFFEC37h], ecx
              dec eax
              xor ecx, eax
              jmp ecx
              retn 0008h
              ud2
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebx
              dec eax
              sub esp, 00000080h
              mov eax, F957B016h
              mov byte ptr [esp+7Fh], 00000037h
              mov edx, dword ptr [esp+78h]
              inc ecx
              mov eax, edx
              inc ecx
              or eax, 5D262B0Ch
              inc esp
              mov dword ptr [esp+78h], eax
              dec eax
              mov dword ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [LNK] VS2012 UPD4 build 61030
              • [ASM] VS2013 UPD2 build 30501
              • [ C ] VS2012 UPD2 build 60315
              • [C++] VS2013 UPD4 build 31101
              • [RES] VS2012 UPD3 build 60610
              • [LNK] VS2017 v15.5.4 build 25834
              • [ C ] VS2017 v15.5.4 build 25834
              • [ASM] VS2010 build 30319
              • [EXP] VS2015 UPD1 build 23506
              • [IMP] VS2008 SP1 build 30729
              • [RES] VS2012 UPD4 build 61030
              • [LNK] VS2012 UPD2 build 60315
              • [C++] VS2015 UPD1 build 23506
              • [ C ] VS2013 UPD4 build 31101

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x12d0100x19f.xmo
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x420000x64fcb0x65000False0.702262047494data7.86510283498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wnx0x10e0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .weqy0x10f0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .yby0x1100000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ormx0x1120000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dhclu0x1130000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .xmiul0x1140000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tlwcxe0x1150000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .get0x1160000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hzrd0x1170000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qzu0x1190000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .nhglos0x11a0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .itzo0x11b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .nmsaom0x11c0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rvhi0x11d0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ucrzce0x11e0000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ijc0x11f0000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ohvs0x1200000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rlvrc0x1210000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .yjv0x1220000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .clbcyy0x1230000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .xcyn0x1240000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .boqx0x1250000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rnlia0x1260000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ctip0x1270000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fkv0x1280000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .pczrv0x12a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ibglr0x12b0000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .uirkq0x12c0000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .xmo0x12d0000x1af0x1000False0.070068359375data0.884469413236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xc00a00x370dataEnglishUnited States
              RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
              SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
              KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
              GDI32.dllCreateBitmapIndirect, GetPolyFillMode
              CRYPT32.dllCertGetCTLContextProperty
              ADVAPI32.dllAddAccessDeniedObjectAce
              SHLWAPI.dllChrCmpIW

              Exports

              NameOrdinalAddress
              DisplaySYSDMCPL10x1400186ec
              EditEnvironmentVariables20x140014580
              EditUserProfiles30x140001768
              EnableExecuteProtectionSupportW40x140037da0
              ModifyExecuteProtectionSupportW50x140030704
              NoExecuteAddFileOptOutList60x14002a1c0
              NoExecuteAddFileOptOutListW70x140035ddc
              NoExecuteProcessExceptionW80x1400164c4
              NoExecuteRemoveFileOptOutList90x140015998
              NoExecuteRemoveFileOptOutListW100x14001a104

              Version Infos

              DescriptionData
              LegalCopyright Microsoft Corporation. All rights reserv
              InternalNamebitsp
              FileVersion7.5.7600.16385 (win7_rtm.090713-
              CompanyNameMicrosoft Corporati
              ProductNameMicrosoft Windows Operating S
              ProductVersion6.1.7600
              FileDescriptionBackground Intellig
              OriginalFilenamekbdy
              Translation0x0409 0x04b0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 28, 2021 19:14:14.984349012 CEST6033853192.168.2.78.8.8.8
              Sep 28, 2021 19:14:15.018414021 CEST53603388.8.8.8192.168.2.7
              Sep 28, 2021 19:14:31.646061897 CEST5871753192.168.2.78.8.8.8
              Sep 28, 2021 19:14:31.671478033 CEST53587178.8.8.8192.168.2.7
              Sep 28, 2021 19:14:52.503011942 CEST5976253192.168.2.78.8.8.8
              Sep 28, 2021 19:14:52.521750927 CEST53597628.8.8.8192.168.2.7
              Sep 28, 2021 19:14:55.160108089 CEST5432953192.168.2.78.8.8.8
              Sep 28, 2021 19:14:55.179826021 CEST53543298.8.8.8192.168.2.7
              Sep 28, 2021 19:14:55.268310070 CEST5805253192.168.2.78.8.8.8
              Sep 28, 2021 19:14:55.312179089 CEST53580528.8.8.8192.168.2.7
              Sep 28, 2021 19:14:56.556112051 CEST5400853192.168.2.78.8.8.8
              Sep 28, 2021 19:14:56.575474977 CEST53540088.8.8.8192.168.2.7
              Sep 28, 2021 19:14:57.998117924 CEST5945153192.168.2.78.8.8.8
              Sep 28, 2021 19:14:58.017493010 CEST53594518.8.8.8192.168.2.7
              Sep 28, 2021 19:14:58.487844944 CEST5291453192.168.2.78.8.8.8
              Sep 28, 2021 19:14:58.505630016 CEST53529148.8.8.8192.168.2.7
              Sep 28, 2021 19:14:58.975784063 CEST6456953192.168.2.78.8.8.8
              Sep 28, 2021 19:14:58.995593071 CEST53645698.8.8.8192.168.2.7
              Sep 28, 2021 19:14:59.912367105 CEST5281653192.168.2.78.8.8.8
              Sep 28, 2021 19:14:59.934814930 CEST53528168.8.8.8192.168.2.7
              Sep 28, 2021 19:15:00.325953007 CEST5078153192.168.2.78.8.8.8
              Sep 28, 2021 19:15:00.361572981 CEST53507818.8.8.8192.168.2.7
              Sep 28, 2021 19:15:00.684242010 CEST5423053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:00.701716900 CEST53542308.8.8.8192.168.2.7
              Sep 28, 2021 19:15:01.393390894 CEST5491153192.168.2.78.8.8.8
              Sep 28, 2021 19:15:01.412703991 CEST53549118.8.8.8192.168.2.7
              Sep 28, 2021 19:15:02.618539095 CEST4995853192.168.2.78.8.8.8
              Sep 28, 2021 19:15:02.637355089 CEST53499588.8.8.8192.168.2.7
              Sep 28, 2021 19:15:03.714611053 CEST5086053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:03.774904013 CEST53508608.8.8.8192.168.2.7
              Sep 28, 2021 19:15:04.471513987 CEST5045253192.168.2.78.8.8.8
              Sep 28, 2021 19:15:04.506480932 CEST53504528.8.8.8192.168.2.7
              Sep 28, 2021 19:15:05.449511051 CEST5973053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:05.470241070 CEST53597308.8.8.8192.168.2.7
              Sep 28, 2021 19:15:10.173793077 CEST5931053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:10.193933010 CEST53593108.8.8.8192.168.2.7
              Sep 28, 2021 19:15:30.005969048 CEST5191953192.168.2.78.8.8.8
              Sep 28, 2021 19:15:30.023964882 CEST53519198.8.8.8192.168.2.7
              Sep 28, 2021 19:15:37.120172977 CEST6429653192.168.2.78.8.8.8
              Sep 28, 2021 19:15:37.139909983 CEST5668053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:37.150744915 CEST53642968.8.8.8192.168.2.7
              Sep 28, 2021 19:15:37.166969061 CEST53566808.8.8.8192.168.2.7
              Sep 28, 2021 19:15:56.290057898 CEST5882053192.168.2.78.8.8.8
              Sep 28, 2021 19:15:56.325064898 CEST53588208.8.8.8192.168.2.7
              Sep 28, 2021 19:15:58.319705963 CEST6098353192.168.2.78.8.8.8
              Sep 28, 2021 19:15:58.339636087 CEST53609838.8.8.8192.168.2.7
              Sep 28, 2021 19:16:33.391506910 CEST4924753192.168.2.78.8.8.8
              Sep 28, 2021 19:16:33.411485910 CEST53492478.8.8.8192.168.2.7
              Sep 28, 2021 19:17:30.636225939 CEST5228653192.168.2.78.8.8.8
              Sep 28, 2021 19:17:30.670250893 CEST53522868.8.8.8192.168.2.7

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: loaddll64.exe PID: 6552 Parent PID: 4924

              General

              Start time:19:14:06
              Start date:28/09/2021
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll'
              Imagebase:0x7ff7eaf80000
              File size:1136128 bytes
              MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.272674434.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:moderate

              Analysis Process: cmd.exe PID: 6576 Parent PID: 6552

              General

              Start time:19:14:06
              Start date:28/09/2021
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
              Imagebase:0x7ff7bf140000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 6584 Parent PID: 6552

              General

              Start time:19:14:07
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,DisplaySYSDMCPL
              Imagebase:0x7ff775bc0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.330302590.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 6600 Parent PID: 6576

              General

              Start time:19:14:07
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe 'C:\Users\user\Desktop\DC2zX44MQr.dll',#1
              Imagebase:0x7ff775bc0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.252587929.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: explorer.exe PID: 3292 Parent PID: 6584

              General

              Start time:19:14:08
              Start date:28/09/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff662bf0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 6676 Parent PID: 6552

              General

              Start time:19:14:10
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditEnvironmentVariables
              Imagebase:0x7ff775bc0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.258809816.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 6808 Parent PID: 6552

              General

              Start time:19:14:14
              Start date:28/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\DC2zX44MQr.dll,EditUserProfiles
              Imagebase:0x7ff775bc0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.266253941.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: DmNotificationBroker.exe PID: 3476 Parent PID: 3292

              General

              Start time:19:14:46
              Start date:28/09/2021
              Path:C:\Windows\System32\DmNotificationBroker.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\DmNotificationBroker.exe
              Imagebase:0x7ff67baa0000
              File size:32256 bytes
              MD5 hash:1643D5735213BC89C0012F0E48253765
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              Analysis Process: DmNotificationBroker.exe PID: 6464 Parent PID: 3292

              General

              Start time:19:14:51
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\EwdQnyo\DmNotificationBroker.exe
              Imagebase:0x7ff686900000
              File size:32256 bytes
              MD5 hash:1643D5735213BC89C0012F0E48253765
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.366691390.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 0%, Virustotal, Browse
              • Detection: 0%, Metadefender, Browse
              • Detection: 0%, ReversingLabs
              Reputation:moderate

              Analysis Process: RdpSa.exe PID: 4488 Parent PID: 3292

              General

              Start time:19:15:03
              Start date:28/09/2021
              Path:C:\Windows\System32\RdpSa.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\RdpSa.exe
              Imagebase:0x7ff794d50000
              File size:43008 bytes
              MD5 hash:0795B6F790F8E52D55F39E593E9C5BBA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: RdpSa.exe PID: 2152 Parent PID: 3292

              General

              Start time:19:15:03
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\zLYZkwYH\RdpSa.exe
              Imagebase:0x7ff644d50000
              File size:43008 bytes
              MD5 hash:0795B6F790F8E52D55F39E593E9C5BBA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.393120079.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: Utilman.exe PID: 2884 Parent PID: 3292

              General

              Start time:19:15:16
              Start date:28/09/2021
              Path:C:\Windows\System32\Utilman.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\Utilman.exe
              Imagebase:0x7ff728540000
              File size:98304 bytes
              MD5 hash:C91CCEF3884CFDE746B4BAEF5F1BC75C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: Utilman.exe PID: 3596 Parent PID: 3292

              General

              Start time:19:15:20
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\KbLvcSLVf\Utilman.exe
              Imagebase:0x7ff719840000
              File size:98304 bytes
              MD5 hash:C91CCEF3884CFDE746B4BAEF5F1BC75C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.429090698.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 0%, Metadefender, Browse
              • Detection: 0%, ReversingLabs

              Analysis Process: EaseOfAccessDialog.exe PID: 6104 Parent PID: 3292

              General

              Start time:19:15:34
              Start date:28/09/2021
              Path:C:\Windows\System32\EaseOfAccessDialog.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\EaseOfAccessDialog.exe
              Imagebase:0x7ff6cc0e0000
              File size:304640 bytes
              MD5 hash:F87F2E5EBF3FFBA39DF1621B5F8689B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: EaseOfAccessDialog.exe PID: 6128 Parent PID: 3292

              General

              Start time:19:15:34
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\rm4w0\EaseOfAccessDialog.exe
              Imagebase:0x7ff792c30000
              File size:304640 bytes
              MD5 hash:F87F2E5EBF3FFBA39DF1621B5F8689B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.459149344.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: DevicePairingWizard.exe PID: 5024 Parent PID: 3292

              General

              Start time:19:15:46
              Start date:28/09/2021
              Path:C:\Windows\System32\DevicePairingWizard.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\DevicePairingWizard.exe
              Imagebase:0x7ff74a2d0000
              File size:92160 bytes
              MD5 hash:E23643C785D498FF73B5C9D7EA173C3D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: DevicePairingWizard.exe PID: 4804 Parent PID: 3292

              General

              Start time:19:15:52
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\mJLa\DevicePairingWizard.exe
              Imagebase:0x7ff6cb020000
              File size:92160 bytes
              MD5 hash:E23643C785D498FF73B5C9D7EA173C3D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.498301124.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: wermgr.exe PID: 4896 Parent PID: 3292

              General

              Start time:19:16:04
              Start date:28/09/2021
              Path:C:\Windows\System32\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wermgr.exe
              Imagebase:0x7ff62a2c0000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: wermgr.exe PID: 5600 Parent PID: 3292

              General

              Start time:19:16:05
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\xlPP\wermgr.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\xlPP\wermgr.exe
              Imagebase:0x7ff776fa0000
              File size:209312 bytes
              MD5 hash:FF214585BF10206E21EA8EBA202FACFD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.525725102.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: mstsc.exe PID: 6664 Parent PID: 3292

              General

              Start time:19:16:17
              Start date:28/09/2021
              Path:C:\Windows\System32\mstsc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\mstsc.exe
              Imagebase:0x7ff7f3970000
              File size:3640832 bytes
              MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: mstsc.exe PID: 6636 Parent PID: 3292

              General

              Start time:19:16:18
              Start date:28/09/2021
              Path:C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\pZCYq8TUy\mstsc.exe
              Imagebase:0x7ff7a40d0000
              File size:3640832 bytes
              MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.555665664.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Disassembly

              Code Analysis

              Reset < >