Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Y7KrNvSxWx

Overview

General Information

Sample Name:Y7KrNvSxWx (renamed file extension from none to dll)
Analysis ID:492554
MD5:ecdfff8b0ece2175cd699e690de1fcaf
SHA1:9359770d71e743832ca22597db917dfa817038b2
SHA256:dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 2288 cmdline: loaddll64.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 2468 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6964 cmdline: rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • SndVol.exe (PID: 2176 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 2444 cmdline: C:\Users\user\AppData\Local\KXZtu\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • bdeunlock.exe (PID: 6612 cmdline: C:\Windows\system32\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • bdeunlock.exe (PID: 6604 cmdline: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe MD5: FAB70105E2075EEC9C249A4D499CAE7C)
        • SystemPropertiesPerformance.exe (PID: 5532 cmdline: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe MD5: F325976CDC0F7E9C680B51B35D24D23A)
        • GamePanel.exe (PID: 5824 cmdline: C:\Windows\system32\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • GamePanel.exe (PID: 6444 cmdline: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe MD5: 4EF330EFAE954723B1F2800C15FDA7EB)
        • tcmsetup.exe (PID: 3324 cmdline: C:\Windows\system32\tcmsetup.exe MD5: 0DDA495155D552D024593C4B3246C8FA)
        • tcmsetup.exe (PID: 1916 cmdline: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe MD5: 0DDA495155D552D024593C4B3246C8FA)
        • wscript.exe (PID: 2584 cmdline: C:\Windows\system32\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • wscript.exe (PID: 4312 cmdline: C:\Users\user\AppData\Local\NakOm\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • BitLockerWizardElev.exe (PID: 4640 cmdline: C:\Windows\system32\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)
        • BitLockerWizardElev.exe (PID: 1636 cmdline: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe MD5: 3104EA9ECCA9ED71A382CCAAD618CEAE)
        • upfc.exe (PID: 5152 cmdline: C:\Windows\system32\upfc.exe MD5: 4CEED46DDAB911AE1298422BFB12460C)
        • upfc.exe (PID: 5816 cmdline: C:\Users\user\AppData\Local\mFxP\upfc.exe MD5: 4CEED46DDAB911AE1298422BFB12460C)
    • rundll32.exe (PID: 6676 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2904 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.456385826.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000003.00000002.355433336.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000024.00000002.625281639.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000028.00000002.681547027.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000014.00000002.514246640.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: Y7KrNvSxWx.dllVirustotal: Detection: 64%Perma Link
            Source: Y7KrNvSxWx.dllReversingLabs: Detection: 77%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Y7KrNvSxWx.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPLAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\mFxP\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\5JXP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\5JXP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2oEy\TAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPLAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Machine Learning detection for sampleShow sources
            Source: Y7KrNvSxWx.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPLJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\mFxP\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5JXP\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\5JXP\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2oEy\TAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\KAG\SYSDM.CPLJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\KXZtu\dwmapi.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dllJoe Sandbox ML: detected
            Source: Y7KrNvSxWx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: BitLockerWizardElev.pdb source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
            Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe.4.dr
            Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe.4.dr
            Source: Binary string: wscript.pdb source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
            Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
            Source: Binary string: iexpress.pdb source: iexpress.exe.4.dr
            Source: Binary string: iexpress.pdbGCTL source: iexpress.exe.4.dr
            Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
            Source: Binary string: SystemPropertiesDataExecutionPrevention.pdb source: SystemPropertiesDataExecutionPrevention.exe.4.dr
            Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
            Source: Binary string: upfc.pdb source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
            Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
            Source: Binary string: BitLockerWizardElev.pdbGCTL source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
            Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
            Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
            Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe.4.dr
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
            Source: Binary string: SystemPropertiesDataExecutionPrevention.pdbGCTL source: SystemPropertiesDataExecutionPrevention.exe.4.dr
            Source: Binary string: SndVol.pdb source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
            Source: Binary string: upfc.pdbGCTL source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
            Source: Binary string: FileHistory.pdb source: FileHistory.exe.4.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299BDF60 PathCchCombine,FindFirstFileW,GetLastError,PathCchCombine,FindNextFileW,FindClose,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D887818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,
            Source: SndVol.exe, 00000010.00000002.463303895.000002151D5A0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.micro
            Source: explorer.exe, 00000004.00000000.398986460.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augment
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/Augmenth
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/gameclips/Augment
            Source: GamePanel.exeString found in binary or memory: https://MediaData.XboxLive.com/screenshots/Augment
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/ifg0es
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imfx4k
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/imrx2o
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/v5do45
            Source: GamePanel.exeString found in binary or memory: https://aka.ms/w5ryqn
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTING
            Source: GamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://aka.ms/wk9ocd
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/%ws
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://mixer.com/%wsWindows.System.Launcher
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.png
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimedia
            Source: GamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://mixer.com/api/v1/broadcasts/current
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%d
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/channels/%ws
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/chats/%.0f
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamC
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/oauth/xbl/login
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/types/lookup%ws
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/v
            Source: GamePanel.exeString found in binary or memory: https://mixer.com/api/v1/users/current
            Source: GamePanel.exeString found in binary or memory: https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRaw
            Source: GamePanel.exeString found in binary or memory: https://www.xboxlive.com
            Source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drString found in binary or memory: https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAEFC50 RegisterRawInputDevices,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000002.00000002.456385826.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.355433336.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.625281639.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.681547027.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.514246640.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.545893721.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.488077444.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.377190564.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.370198156.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.598954103.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.571934505.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.363238472.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.654598508.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249BA5C8
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B6218
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249BA1A0
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249C3718
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B8310
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249C4F10
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249C2BD8
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249C03A0
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B44E8
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249CC4D0
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B3514
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249C0CA8
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B3080
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249CB088
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D872EF4
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D888850
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D888E2C
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D87139C
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB4BD14
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6FC59
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAFDC44
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6DB6C
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB31AD4
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB57A20
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB37A00
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BACB928
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB4F920
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BACA058
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6BFEC
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB5BF88
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB35F08
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB2BE58
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAC3D38
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB67460
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB19484
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB2B454
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB5137C
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAF72C8
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB3B26C
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAF3260
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB55190
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB4B124
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB5B14C
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6D7A2
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB5D788
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB2D6B0
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB2CCFC
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAFED00
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAE4CDC
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB50C44
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB289F4
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB5A998
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB16948
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeCode function: 33_2_00007FF6E3311A38
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF21C9C
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF214A0
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF134D8
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF18348
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF21F68
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF2340C
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1AE8C
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF20A94
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF17B1C
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF16954
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF191AC
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF221C4
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF15A34
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF21A34
            Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeCode function: 38_2_00007FF6173E1098
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299C0C98
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299B3320
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: String function: 00007FF71BB66AD8 appears 152 times
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: String function: 00007FF71BAC32F8 appears 268 times
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: String function: 00007FF71BAC4D68 appears 144 times
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: String function: 00007FF71BAC6894 appears 40 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB36C44 RtlInitUnicodeString,NtQueryLicenseValue,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6A9CC NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,HeapAlloc,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A,
            Source: Y7KrNvSxWx.dllBinary or memory string: OriginalFilenamekbdyj% vs Y7KrNvSxWx.dll
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: bdeunlock.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesPerformance.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesPerformance.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesPerformance.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GamePanel.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: BitLockerWizardElev.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: BitLockerWizardElev.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: BitLockerWizardElev.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesDataExecutionPrevention.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesDataExecutionPrevention.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SystemPropertiesDataExecutionPrevention.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iexpress.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iexpress.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iexpress.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SYSDM.CPL0.4.drStatic PE information: Number of sections : 38 > 10
            Source: dwmapi.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: DUser.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: TAPI32.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: Y7KrNvSxWx.dllStatic PE information: Number of sections : 37 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: VERSION.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: FVEWIZ.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: SYSDM.CPL.4.drStatic PE information: Number of sections : 38 > 10
            Source: VERSION.dll0.4.drStatic PE information: Number of sections : 38 > 10
            Source: dwmapi.dll0.4.drStatic PE information: Number of sections : 38 > 10
            Source: UxTheme.dll.4.drStatic PE information: Number of sections : 38 > 10
            Source: Y7KrNvSxWx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUser.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SYSDM.CPL.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: dwmapi.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: TAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: FVEWIZ.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SYSDM.CPL0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Y7KrNvSxWx.dllVirustotal: Detection: 64%
            Source: Y7KrNvSxWx.dllReversingLabs: Detection: 77%
            Source: Y7KrNvSxWx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KXZtu\SndVol.exe C:\Users\user\AppData\Local\KXZtu\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NakOm\wscript.exe C:\Users\user\AppData\Local\NakOm\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\upfc.exe C:\Windows\system32\upfc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mFxP\upfc.exe C:\Users\user\AppData\Local\mFxP\upfc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KXZtu\SndVol.exe C:\Users\user\AppData\Local\KXZtu\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\bdeunlock.exe C:\Windows\system32\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesPerformance.exe C:\Windows\system32\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\GamePanel.exe C:\Windows\system32\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\tcmsetup.exe C:\Windows\system32\tcmsetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exe C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\NakOm\wscript.exe C:\Users\user\AppData\Local\NakOm\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BitLockerWizardElev.exe C:\Windows\system32\BitLockerWizardElev.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\upfc.exe C:\Windows\system32\upfc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\mFxP\upfc.exe C:\Users\user\AppData\Local\mFxP\upfc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@52/25@0/0
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B9E34 CoCreateInstance,CoAllowSetForegroundWindow,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D8724D8 FormatMessageW,GetLastError,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299BE0E4 ChangeServiceConfigW,ChangeServiceConfig2W,ChangeServiceConfig2W,ChangeServiceConfig2W,GetLastError,CloseServiceHandle,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeMutant created: \Sessions\1\BaseNamedObjects\{81978d18-9b5e-fd4f-7de1-2627a407a6e2}
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeMutant created: \Sessions\1\BaseNamedObjects\{f1f9b2b4-e115-ac5c-46a5-9b5b6fc59767}
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B8E7C LoadResource,LockResource,SizeofResource,
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync SUCCEEDED
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FINALIZING
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: GamePanel.exeString found in binary or memory: Start/StopRecordAsync FAILED with hr = %x
            Source: upfc.exeString found in binary or memory: /launchtype
            Source: Y7KrNvSxWx.dllStatic PE information: More than 179 > 100 exports found
            Source: Y7KrNvSxWx.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: Y7KrNvSxWx.dllStatic file information: File size 1249280 > 1048576
            Source: Y7KrNvSxWx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: BitLockerWizardElev.pdb source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
            Source: Binary string: bdeunlock.pdbGCTL source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
            Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe.4.dr
            Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe.4.dr
            Source: Binary string: wscript.pdb source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
            Source: Binary string: GamePanel.pdb source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
            Source: Binary string: bdeunlock.pdb source: bdeunlock.exe, 00000014.00000002.516325068.00007FF68D897000.00000002.00020000.sdmp, bdeunlock.exe.4.dr
            Source: Binary string: tcmsetup.pdb source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
            Source: Binary string: iexpress.pdb source: iexpress.exe.4.dr
            Source: Binary string: iexpress.pdbGCTL source: iexpress.exe.4.dr
            Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
            Source: Binary string: SystemPropertiesDataExecutionPrevention.pdb source: SystemPropertiesDataExecutionPrevention.exe.4.dr
            Source: Binary string: tcmsetup.pdbGCTL source: tcmsetup.exe, 00000021.00000000.576808687.00007FF6E3313000.00000002.00020000.sdmp, tcmsetup.exe.4.dr
            Source: Binary string: upfc.pdb source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
            Source: Binary string: SystemPropertiesPerformance.pdb source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
            Source: Binary string: BitLockerWizardElev.pdbGCTL source: BitLockerWizardElev.exe, 00000026.00000002.657739886.00007FF6173E2000.00000002.00020000.sdmp, BitLockerWizardElev.exe.4.dr
            Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000024.00000002.630624352.00007FF68AF25000.00000002.00020000.sdmp, wscript.exe.4.dr
            Source: Binary string: SystemPropertiesPerformance.pdbGCTL source: SystemPropertiesPerformance.exe, 00000019.00000000.519427492.00007FF6A7B92000.00000002.00020000.sdmp, SystemPropertiesPerformance.exe.4.dr
            Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe.4.dr
            Source: Binary string: GamePanel.pdbGCTL source: GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.dr
            Source: Binary string: SystemPropertiesDataExecutionPrevention.pdbGCTL source: SystemPropertiesDataExecutionPrevention.exe.4.dr
            Source: Binary string: SndVol.pdb source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.dr
            Source: Binary string: upfc.pdbGCTL source: upfc.exe, 00000028.00000000.659462106.00007FF7299C2000.00000002.00020000.sdmp, upfc.exe.4.dr
            Source: Binary string: FileHistory.pdb source: FileHistory.exe.4.dr
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .qkm
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .cvjb
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .tlmkv
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .wucsxe
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .wnx
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .weqy
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .yby
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .ormx
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .dhclu
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .xmiul
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .tlwcxe
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .get
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .hzrd
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .gulz
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .ybavfq
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .hzccq
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .kmnqh
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .sqadf
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .uans
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .gelkgq
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .jbviw
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .ypg
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .qqs
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .dsy
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .fgy
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .onfp
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .clcj
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .fhc
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .ghxb
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .icyh
            Source: Y7KrNvSxWx.dllStatic PE information: section name: .wguyua
            Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
            Source: SndVol.exe.4.drStatic PE information: section name: .didat
            Source: bdeunlock.exe.4.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.4.drStatic PE information: section name: .imrsiv
            Source: GamePanel.exe.4.drStatic PE information: section name: .didat
            Source: FileHistory.exe.4.drStatic PE information: section name: .nep
            Source: dwmapi.dll.4.drStatic PE information: section name: .qkm
            Source: dwmapi.dll.4.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll.4.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll.4.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll.4.drStatic PE information: section name: .wnx
            Source: dwmapi.dll.4.drStatic PE information: section name: .weqy
            Source: dwmapi.dll.4.drStatic PE information: section name: .yby
            Source: dwmapi.dll.4.drStatic PE information: section name: .ormx
            Source: dwmapi.dll.4.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll.4.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll.4.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll.4.drStatic PE information: section name: .get
            Source: dwmapi.dll.4.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll.4.drStatic PE information: section name: .gulz
            Source: dwmapi.dll.4.drStatic PE information: section name: .ybavfq
            Source: dwmapi.dll.4.drStatic PE information: section name: .hzccq
            Source: dwmapi.dll.4.drStatic PE information: section name: .kmnqh
            Source: dwmapi.dll.4.drStatic PE information: section name: .sqadf
            Source: dwmapi.dll.4.drStatic PE information: section name: .uans
            Source: dwmapi.dll.4.drStatic PE information: section name: .gelkgq
            Source: dwmapi.dll.4.drStatic PE information: section name: .jbviw
            Source: dwmapi.dll.4.drStatic PE information: section name: .ypg
            Source: dwmapi.dll.4.drStatic PE information: section name: .qqs
            Source: dwmapi.dll.4.drStatic PE information: section name: .dsy
            Source: dwmapi.dll.4.drStatic PE information: section name: .fgy
            Source: dwmapi.dll.4.drStatic PE information: section name: .onfp
            Source: dwmapi.dll.4.drStatic PE information: section name: .clcj
            Source: dwmapi.dll.4.drStatic PE information: section name: .fhc
            Source: dwmapi.dll.4.drStatic PE information: section name: .ghxb
            Source: dwmapi.dll.4.drStatic PE information: section name: .icyh
            Source: dwmapi.dll.4.drStatic PE information: section name: .wguyua
            Source: dwmapi.dll.4.drStatic PE information: section name: .mkadq
            Source: DUser.dll.4.drStatic PE information: section name: .qkm
            Source: DUser.dll.4.drStatic PE information: section name: .cvjb
            Source: DUser.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUser.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUser.dll.4.drStatic PE information: section name: .wnx
            Source: DUser.dll.4.drStatic PE information: section name: .weqy
            Source: DUser.dll.4.drStatic PE information: section name: .yby
            Source: DUser.dll.4.drStatic PE information: section name: .ormx
            Source: DUser.dll.4.drStatic PE information: section name: .dhclu
            Source: DUser.dll.4.drStatic PE information: section name: .xmiul
            Source: DUser.dll.4.drStatic PE information: section name: .tlwcxe
            Source: DUser.dll.4.drStatic PE information: section name: .get
            Source: DUser.dll.4.drStatic PE information: section name: .hzrd
            Source: DUser.dll.4.drStatic PE information: section name: .gulz
            Source: DUser.dll.4.drStatic PE information: section name: .ybavfq
            Source: DUser.dll.4.drStatic PE information: section name: .hzccq
            Source: DUser.dll.4.drStatic PE information: section name: .kmnqh
            Source: DUser.dll.4.drStatic PE information: section name: .sqadf
            Source: DUser.dll.4.drStatic PE information: section name: .uans
            Source: DUser.dll.4.drStatic PE information: section name: .gelkgq
            Source: DUser.dll.4.drStatic PE information: section name: .jbviw
            Source: DUser.dll.4.drStatic PE information: section name: .ypg
            Source: DUser.dll.4.drStatic PE information: section name: .qqs
            Source: DUser.dll.4.drStatic PE information: section name: .dsy
            Source: DUser.dll.4.drStatic PE information: section name: .fgy
            Source: DUser.dll.4.drStatic PE information: section name: .onfp
            Source: DUser.dll.4.drStatic PE information: section name: .clcj
            Source: DUser.dll.4.drStatic PE information: section name: .fhc
            Source: DUser.dll.4.drStatic PE information: section name: .ghxb
            Source: DUser.dll.4.drStatic PE information: section name: .icyh
            Source: DUser.dll.4.drStatic PE information: section name: .wguyua
            Source: DUser.dll.4.drStatic PE information: section name: .utdog
            Source: SYSDM.CPL.4.drStatic PE information: section name: .qkm
            Source: SYSDM.CPL.4.drStatic PE information: section name: .cvjb
            Source: SYSDM.CPL.4.drStatic PE information: section name: .tlmkv
            Source: SYSDM.CPL.4.drStatic PE information: section name: .wucsxe
            Source: SYSDM.CPL.4.drStatic PE information: section name: .wnx
            Source: SYSDM.CPL.4.drStatic PE information: section name: .weqy
            Source: SYSDM.CPL.4.drStatic PE information: section name: .yby
            Source: SYSDM.CPL.4.drStatic PE information: section name: .ormx
            Source: SYSDM.CPL.4.drStatic PE information: section name: .dhclu
            Source: SYSDM.CPL.4.drStatic PE information: section name: .xmiul
            Source: SYSDM.CPL.4.drStatic PE information: section name: .tlwcxe
            Source: SYSDM.CPL.4.drStatic PE information: section name: .get
            Source: SYSDM.CPL.4.drStatic PE information: section name: .hzrd
            Source: SYSDM.CPL.4.drStatic PE information: section name: .gulz
            Source: SYSDM.CPL.4.drStatic PE information: section name: .ybavfq
            Source: SYSDM.CPL.4.drStatic PE information: section name: .hzccq
            Source: SYSDM.CPL.4.drStatic PE information: section name: .kmnqh
            Source: SYSDM.CPL.4.drStatic PE information: section name: .sqadf
            Source: SYSDM.CPL.4.drStatic PE information: section name: .uans
            Source: SYSDM.CPL.4.drStatic PE information: section name: .gelkgq
            Source: SYSDM.CPL.4.drStatic PE information: section name: .jbviw
            Source: SYSDM.CPL.4.drStatic PE information: section name: .ypg
            Source: SYSDM.CPL.4.drStatic PE information: section name: .qqs
            Source: SYSDM.CPL.4.drStatic PE information: section name: .dsy
            Source: SYSDM.CPL.4.drStatic PE information: section name: .fgy
            Source: SYSDM.CPL.4.drStatic PE information: section name: .onfp
            Source: SYSDM.CPL.4.drStatic PE information: section name: .clcj
            Source: SYSDM.CPL.4.drStatic PE information: section name: .fhc
            Source: SYSDM.CPL.4.drStatic PE information: section name: .ghxb
            Source: SYSDM.CPL.4.drStatic PE information: section name: .icyh
            Source: SYSDM.CPL.4.drStatic PE information: section name: .wguyua
            Source: SYSDM.CPL.4.drStatic PE information: section name: .xjg
            Source: dwmapi.dll0.4.drStatic PE information: section name: .qkm
            Source: dwmapi.dll0.4.drStatic PE information: section name: .cvjb
            Source: dwmapi.dll0.4.drStatic PE information: section name: .tlmkv
            Source: dwmapi.dll0.4.drStatic PE information: section name: .wucsxe
            Source: dwmapi.dll0.4.drStatic PE information: section name: .wnx
            Source: dwmapi.dll0.4.drStatic PE information: section name: .weqy
            Source: dwmapi.dll0.4.drStatic PE information: section name: .yby
            Source: dwmapi.dll0.4.drStatic PE information: section name: .ormx
            Source: dwmapi.dll0.4.drStatic PE information: section name: .dhclu
            Source: dwmapi.dll0.4.drStatic PE information: section name: .xmiul
            Source: dwmapi.dll0.4.drStatic PE information: section name: .tlwcxe
            Source: dwmapi.dll0.4.drStatic PE information: section name: .get
            Source: dwmapi.dll0.4.drStatic PE information: section name: .hzrd
            Source: dwmapi.dll0.4.drStatic PE information: section name: .gulz
            Source: dwmapi.dll0.4.drStatic PE information: section name: .ybavfq
            Source: dwmapi.dll0.4.drStatic PE information: section name: .hzccq
            Source: dwmapi.dll0.4.drStatic PE information: section name: .kmnqh
            Source: dwmapi.dll0.4.drStatic PE information: section name: .sqadf
            Source: dwmapi.dll0.4.drStatic PE information: section name: .uans
            Source: dwmapi.dll0.4.drStatic PE information: section name: .gelkgq
            Source: dwmapi.dll0.4.drStatic PE information: section name: .jbviw
            Source: dwmapi.dll0.4.drStatic PE information: section name: .ypg
            Source: dwmapi.dll0.4.drStatic PE information: section name: .qqs
            Source: dwmapi.dll0.4.drStatic PE information: section name: .dsy
            Source: dwmapi.dll0.4.drStatic PE information: section name: .fgy
            Source: dwmapi.dll0.4.drStatic PE information: section name: .onfp
            Source: dwmapi.dll0.4.drStatic PE information: section name: .clcj
            Source: dwmapi.dll0.4.drStatic PE information: section name: .fhc
            Source: dwmapi.dll0.4.drStatic PE information: section name: .ghxb
            Source: dwmapi.dll0.4.drStatic PE information: section name: .icyh
            Source: dwmapi.dll0.4.drStatic PE information: section name: .wguyua
            Source: dwmapi.dll0.4.drStatic PE information: section name: .scnrap
            Source: TAPI32.dll.4.drStatic PE information: section name: .qkm
            Source: TAPI32.dll.4.drStatic PE information: section name: .cvjb
            Source: TAPI32.dll.4.drStatic PE information: section name: .tlmkv
            Source: TAPI32.dll.4.drStatic PE information: section name: .wucsxe
            Source: TAPI32.dll.4.drStatic PE information: section name: .wnx
            Source: TAPI32.dll.4.drStatic PE information: section name: .weqy
            Source: TAPI32.dll.4.drStatic PE information: section name: .yby
            Source: TAPI32.dll.4.drStatic PE information: section name: .ormx
            Source: TAPI32.dll.4.drStatic PE information: section name: .dhclu
            Source: TAPI32.dll.4.drStatic PE information: section name: .xmiul
            Source: TAPI32.dll.4.drStatic PE information: section name: .tlwcxe
            Source: TAPI32.dll.4.drStatic PE information: section name: .get
            Source: TAPI32.dll.4.drStatic PE information: section name: .hzrd
            Source: TAPI32.dll.4.drStatic PE information: section name: .gulz
            Source: TAPI32.dll.4.drStatic PE information: section name: .ybavfq
            Source: TAPI32.dll.4.drStatic PE information: section name: .hzccq
            Source: TAPI32.dll.4.drStatic PE information: section name: .kmnqh
            Source: TAPI32.dll.4.drStatic PE information: section name: .sqadf
            Source: TAPI32.dll.4.drStatic PE information: section name: .uans
            Source: TAPI32.dll.4.drStatic PE information: section name: .gelkgq
            Source: TAPI32.dll.4.drStatic PE information: section name: .jbviw
            Source: TAPI32.dll.4.drStatic PE information: section name: .ypg
            Source: TAPI32.dll.4.drStatic PE information: section name: .qqs
            Source: TAPI32.dll.4.drStatic PE information: section name: .dsy
            Source: TAPI32.dll.4.drStatic PE information: section name: .fgy
            Source: TAPI32.dll.4.drStatic PE information: section name: .onfp
            Source: TAPI32.dll.4.drStatic PE information: section name: .clcj
            Source: TAPI32.dll.4.drStatic PE information: section name: .fhc
            Source: TAPI32.dll.4.drStatic PE information: section name: .ghxb
            Source: TAPI32.dll.4.drStatic PE information: section name: .icyh
            Source: TAPI32.dll.4.drStatic PE information: section name: .wguyua
            Source: TAPI32.dll.4.drStatic PE information: section name: .lisssh
            Source: VERSION.dll.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.4.drStatic PE information: section name: .wnx
            Source: VERSION.dll.4.drStatic PE information: section name: .weqy
            Source: VERSION.dll.4.drStatic PE information: section name: .yby
            Source: VERSION.dll.4.drStatic PE information: section name: .ormx
            Source: VERSION.dll.4.drStatic PE information: section name: .dhclu
            Source: VERSION.dll.4.drStatic PE information: section name: .xmiul
            Source: VERSION.dll.4.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll.4.drStatic PE information: section name: .get
            Source: VERSION.dll.4.drStatic PE information: section name: .hzrd
            Source: VERSION.dll.4.drStatic PE information: section name: .gulz
            Source: VERSION.dll.4.drStatic PE information: section name: .ybavfq
            Source: VERSION.dll.4.drStatic PE information: section name: .hzccq
            Source: VERSION.dll.4.drStatic PE information: section name: .kmnqh
            Source: VERSION.dll.4.drStatic PE information: section name: .sqadf
            Source: VERSION.dll.4.drStatic PE information: section name: .uans
            Source: VERSION.dll.4.drStatic PE information: section name: .gelkgq
            Source: VERSION.dll.4.drStatic PE information: section name: .jbviw
            Source: VERSION.dll.4.drStatic PE information: section name: .ypg
            Source: VERSION.dll.4.drStatic PE information: section name: .qqs
            Source: VERSION.dll.4.drStatic PE information: section name: .dsy
            Source: VERSION.dll.4.drStatic PE information: section name: .fgy
            Source: VERSION.dll.4.drStatic PE information: section name: .onfp
            Source: VERSION.dll.4.drStatic PE information: section name: .clcj
            Source: VERSION.dll.4.drStatic PE information: section name: .fhc
            Source: VERSION.dll.4.drStatic PE information: section name: .ghxb
            Source: VERSION.dll.4.drStatic PE information: section name: .icyh
            Source: VERSION.dll.4.drStatic PE information: section name: .wguyua
            Source: VERSION.dll.4.drStatic PE information: section name: .pkopjx
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .qkm
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .cvjb
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .tlmkv
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .wucsxe
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .wnx
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .weqy
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .yby
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .ormx
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .dhclu
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .xmiul
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .tlwcxe
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .get
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .hzrd
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .gulz
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .ybavfq
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .hzccq
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .kmnqh
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .sqadf
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .uans
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .gelkgq
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .jbviw
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .ypg
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .qqs
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .dsy
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .fgy
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .onfp
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .clcj
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .fhc
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .ghxb
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .icyh
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .wguyua
            Source: FVEWIZ.dll.4.drStatic PE information: section name: .yza
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .wnx
            Source: XmlLite.dll.4.drStatic PE information: section name: .weqy
            Source: XmlLite.dll.4.drStatic PE information: section name: .yby
            Source: XmlLite.dll.4.drStatic PE information: section name: .ormx
            Source: XmlLite.dll.4.drStatic PE information: section name: .dhclu
            Source: XmlLite.dll.4.drStatic PE information: section name: .xmiul
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlwcxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .get
            Source: XmlLite.dll.4.drStatic PE information: section name: .hzrd
            Source: XmlLite.dll.4.drStatic PE information: section name: .gulz
            Source: XmlLite.dll.4.drStatic PE information: section name: .ybavfq
            Source: XmlLite.dll.4.drStatic PE information: section name: .hzccq
            Source: XmlLite.dll.4.drStatic PE information: section name: .kmnqh
            Source: XmlLite.dll.4.drStatic PE information: section name: .sqadf
            Source: XmlLite.dll.4.drStatic PE information: section name: .uans
            Source: XmlLite.dll.4.drStatic PE information: section name: .gelkgq
            Source: XmlLite.dll.4.drStatic PE information: section name: .jbviw
            Source: XmlLite.dll.4.drStatic PE information: section name: .ypg
            Source: XmlLite.dll.4.drStatic PE information: section name: .qqs
            Source: XmlLite.dll.4.drStatic PE information: section name: .dsy
            Source: XmlLite.dll.4.drStatic PE information: section name: .fgy
            Source: XmlLite.dll.4.drStatic PE information: section name: .onfp
            Source: XmlLite.dll.4.drStatic PE information: section name: .clcj
            Source: XmlLite.dll.4.drStatic PE information: section name: .fhc
            Source: XmlLite.dll.4.drStatic PE information: section name: .ghxb
            Source: XmlLite.dll.4.drStatic PE information: section name: .icyh
            Source: XmlLite.dll.4.drStatic PE information: section name: .wguyua
            Source: XmlLite.dll.4.drStatic PE information: section name: .oxh
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .qkm
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .cvjb
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .tlmkv
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .wucsxe
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .wnx
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .weqy
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .yby
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .ormx
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .dhclu
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .xmiul
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .tlwcxe
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .get
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .hzrd
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .gulz
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .ybavfq
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .hzccq
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .kmnqh
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .sqadf
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .uans
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .gelkgq
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .jbviw
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .ypg
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .qqs
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .dsy
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .fgy
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .onfp
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .clcj
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .fhc
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .ghxb
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .icyh
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .wguyua
            Source: SYSDM.CPL0.4.drStatic PE information: section name: .dcq
            Source: VERSION.dll0.4.drStatic PE information: section name: .qkm
            Source: VERSION.dll0.4.drStatic PE information: section name: .cvjb
            Source: VERSION.dll0.4.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll0.4.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll0.4.drStatic PE information: section name: .wnx
            Source: VERSION.dll0.4.drStatic PE information: section name: .weqy
            Source: VERSION.dll0.4.drStatic PE information: section name: .yby
            Source: VERSION.dll0.4.drStatic PE information: section name: .ormx
            Source: VERSION.dll0.4.drStatic PE information: section name: .dhclu
            Source: VERSION.dll0.4.drStatic PE information: section name: .xmiul
            Source: VERSION.dll0.4.drStatic PE information: section name: .tlwcxe
            Source: VERSION.dll0.4.drStatic PE information: section name: .get
            Source: VERSION.dll0.4.drStatic PE information: section name: .hzrd
            Source: VERSION.dll0.4.drStatic PE information: section name: .gulz
            Source: VERSION.dll0.4.drStatic PE information: section name: .ybavfq
            Source: VERSION.dll0.4.drStatic PE information: section name: .hzccq
            Source: VERSION.dll0.4.drStatic PE information: section name: .kmnqh
            Source: VERSION.dll0.4.drStatic PE information: section name: .sqadf
            Source: VERSION.dll0.4.drStatic PE information: section name: .uans
            Source: VERSION.dll0.4.drStatic PE information: section name: .gelkgq
            Source: VERSION.dll0.4.drStatic PE information: section name: .jbviw
            Source: VERSION.dll0.4.drStatic PE information: section name: .ypg
            Source: VERSION.dll0.4.drStatic PE information: section name: .qqs
            Source: VERSION.dll0.4.drStatic PE information: section name: .dsy
            Source: VERSION.dll0.4.drStatic PE information: section name: .fgy
            Source: VERSION.dll0.4.drStatic PE information: section name: .onfp
            Source: VERSION.dll0.4.drStatic PE information: section name: .clcj
            Source: VERSION.dll0.4.drStatic PE information: section name: .fhc
            Source: VERSION.dll0.4.drStatic PE information: section name: .ghxb
            Source: VERSION.dll0.4.drStatic PE information: section name: .icyh
            Source: VERSION.dll0.4.drStatic PE information: section name: .wguyua
            Source: VERSION.dll0.4.drStatic PE information: section name: .sgswxz
            Source: UxTheme.dll.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.4.drStatic PE information: section name: .wnx
            Source: UxTheme.dll.4.drStatic PE information: section name: .weqy
            Source: UxTheme.dll.4.drStatic PE information: section name: .yby
            Source: UxTheme.dll.4.drStatic PE information: section name: .ormx
            Source: UxTheme.dll.4.drStatic PE information: section name: .dhclu
            Source: UxTheme.dll.4.drStatic PE information: section name: .xmiul
            Source: UxTheme.dll.4.drStatic PE information: section name: .tlwcxe
            Source: UxTheme.dll.4.drStatic PE information: section name: .get
            Source: UxTheme.dll.4.drStatic PE information: section name: .hzrd
            Source: UxTheme.dll.4.drStatic PE information: section name: .gulz
            Source: UxTheme.dll.4.drStatic PE information: section name: .ybavfq
            Source: UxTheme.dll.4.drStatic PE information: section name: .hzccq
            Source: UxTheme.dll.4.drStatic PE information: section name: .kmnqh
            Source: UxTheme.dll.4.drStatic PE information: section name: .sqadf
            Source: UxTheme.dll.4.drStatic PE information: section name: .uans
            Source: UxTheme.dll.4.drStatic PE information: section name: .gelkgq
            Source: UxTheme.dll.4.drStatic PE information: section name: .jbviw
            Source: UxTheme.dll.4.drStatic PE information: section name: .ypg
            Source: UxTheme.dll.4.drStatic PE information: section name: .qqs
            Source: UxTheme.dll.4.drStatic PE information: section name: .dsy
            Source: UxTheme.dll.4.drStatic PE information: section name: .fgy
            Source: UxTheme.dll.4.drStatic PE information: section name: .onfp
            Source: UxTheme.dll.4.drStatic PE information: section name: .clcj
            Source: UxTheme.dll.4.drStatic PE information: section name: .fhc
            Source: UxTheme.dll.4.drStatic PE information: section name: .ghxb
            Source: UxTheme.dll.4.drStatic PE information: section name: .icyh
            Source: UxTheme.dll.4.drStatic PE information: section name: .wguyua
            Source: UxTheme.dll.4.drStatic PE information: section name: .fygqp
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wnx
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .weqy
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .yby
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ormx
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .dhclu
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .xmiul
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .tlwcxe
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .get
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hzrd
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .gulz
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ybavfq
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .hzccq
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .kmnqh
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .sqadf
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .uans
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .gelkgq
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .jbviw
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ypg
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .qqs
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .dsy
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .fgy
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .onfp
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .clcj
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .fhc
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .ghxb
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .icyh
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .wguyua
            Source: WTSAPI32.dll.4.drStatic PE information: section name: .nouixc
            Source: SYSDM.CPL0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x141d35
            Source: dwmapi.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13a77a
            Source: DUser.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x136f03
            Source: TAPI32.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x133731
            Source: WTSAPI32.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x132066
            Source: Y7KrNvSxWx.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x13f997
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13bfd3
            Source: VERSION.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13b3b1
            Source: FVEWIZ.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x132d2f
            Source: SYSDM.CPL.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13fe78
            Source: VERSION.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x135d2b
            Source: dwmapi.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13ac7d
            Source: UxTheme.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x13a732
            Source: SndVol.exe.4.drStatic PE information: 0x6E534A77 [Sun Aug 27 01:25:11 2028 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\UjbH0ZEv\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KAG\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\cZk0IMu\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5JXP\iexpress.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KAG\SystemPropertiesDataExecutionPrevention.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mFxP\upfc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KAG\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\UjbH0ZEv\SYSDM.CPLJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KXZtu\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NakOm\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KXZtu\dwmapi.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NakOm\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mFxP\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\5JXP\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\IcLt\BdeUISrv.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2oEy\TAPI32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D872EF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapAlloc,wcscmp,wcscmp,GetCurrentProcess,GetProcessMitigationPolicy,LocalAlloc,~SyncLockT,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetModuleFileNameW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memcpy,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetModuleHandleExW,GetLastError,GetProcAddress,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,memcpy,memset,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,GetLastError,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,GetLastError,memset,memset,FreeLibrary,memset,memcpy,memset,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetLastError,memset,GetLastError,memset,memset,memset,GetLastError,memset,GetLastError,memset,memset,memset,memset,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memset,GetModuleHandleExW,GetProcAddress,GetProcessHeap,HeapFree,FreeLibrary,memset,memcpy,FreeLibrary,memset,memcpy,~SyncLockT,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 4328Thread sleep count: 41 > 30
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\5JXP\iexpress.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IcLt\BdeUISrv.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IcLt\WTSAPI32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D872EF4 rdtsc
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299BDF60 PathCchCombine,FindFirstFileW,GetLastError,PathCchCombine,FindNextFileW,FindClose,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D887818 GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsW,GetLastError,?UnlockWithKey@BuiVolume@@QEAAJPEBGPEAH@Z,
            Source: explorer.exe, 00000004.00000000.393207647.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000004.00000000.367584067.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000004.00000000.360548148.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.393207647.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000004.00000000.360548148.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.366974154.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: explorer.exe, 00000004.00000000.366974154.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: explorer.exe, 00000004.00000000.367584067.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
            Source: explorer.exe, 00000004.00000000.398986460.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B21D0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249B29E8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D872EF4 rdtsc
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BAFED00 memset,memset,QueryPerformanceFrequency,QueryPerformanceCounter,BlockInput,
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249CF2E0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249CEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D894AD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D894E40 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exeCode function: 25_2_00007FF6A7B91460 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exeCode function: 25_2_00007FF6A7B916E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6BF20 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6BD44 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB6B284 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeCode function: 33_2_00007FF6E3312330 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeCode function: 33_2_00007FF6E3312530 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF23CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeCode function: 38_2_00007FF6173E1880 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeCode function: 38_2_00007FF6173E1B04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299C0AE4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299C0868 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeCode function: 40_2_00007FF7299C0A08 SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: dwmapi.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFD88ECEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFD88ECE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFD88912A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Contains functionality to automate explorer (e.g. start an application)Show sources
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249BA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249BA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: 30_2_00007FF71BB68CAC mouse_event,SetForegroundWindow,
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeCode function: 33_2_00007FF6E3311618 HeapSetInformation,GetModuleHandleW,LoadStringW,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetCommandLineW,
            Source: explorer.exe, 00000004.00000000.359377011.0000000004F80000.00000004.00000001.sdmp, SndVol.exeBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.356684211.00000000008B8000.00000004.00000020.sdmpBinary or memory string: Progman
            Source: SndVol.exe, 00000011.00000002.489479361.00007FF6249D2000.00000002.00020000.sdmp, SndVol.exe.4.drBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
            Source: explorer.exe, 00000004.00000000.415865293.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
            Source: explorer.exe, 00000004.00000000.415865293.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\2oEy\tcmsetup.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\mFxP\upfc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLastError,GetLocaleInfoEx,??3@YAXPEAX@Z,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: WindowsGetStringRawBuffer,WideCharToMultiByte,WindowsDeleteString,WindowsDuplicateString,WindowsDeleteString,WindowsDuplicateString,GetUserDefaultUILanguage,LCIDToLocaleName,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: RoInitialize,CoInitializeSecurity,RegisterWindowMessageW,CommandLineToArgvW,wcschr,_o__wcsnicmp,wcsnlen,_o_wcstol,_o__wcsnicmp,_o_wcstol,FindWindowW,GetUserDefaultUILanguage,GetLocaleInfoW,SetProcessDefaultLayout,IsWindow,SetProcessDpiAwareness,PostMessageW,memset,PostQuitMessage,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,EventUnregister,CloseHandle,EventUnregister,UnhookWinEvent,LocalFree,CloseHandle,RoUninitialize,
            Source: C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exeCode function: _o__Getdays,_o_free,_o_calloc,_o__Getmonths,_o_free,_o_calloc,_o_calloc,_o____lc_locale_name_func,GetLocaleInfoEx,Concurrency::cancel_current_task,Concurrency::cancel_current_task,Concurrency::cancel_current_task,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\KXZtu\SndVol.exeCode function: 17_2_00007FF6249CF470 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF14428 SysAllocString,GetVersionExA,IsTextUnicode,MultiByteToWideChar,GetLastError,SysAllocStringLen,MultiByteToWideChar,GetLastError,_swab,memcpy,SysFreeString,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF16CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,
            Source: C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exeCode function: 20_2_00007FF68D87193C GetCurrentProcessId,AllowSetForegroundWindow,CoCreateInstance,CoCreateInstance,GetSystemMetrics,RegGetValueW,GetSystemMetrics,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,SetForegroundWindow,LocalFree,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF1C370 CreateBindCtx,MkParseDisplayName,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF14FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString,
            Source: C:\Users\user\AppData\Local\NakOm\wscript.exeCode function: 36_2_00007FF68AF191AC GetUserDefaultLCID,CreateBindCtx,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Windows Service1Windows Service1Masquerading11Input Capture11System Time Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsService Execution1Application Shimming1Process Injection312Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Application Shimming1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemSystem Information Discovery35Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492554 Sample: Y7KrNvSxWx Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\DUser.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\XmlLite.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\FVEWIZ.dll, PE32+ 19->38 dropped 40 21 other files (7 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 25 SndVol.exe 19->25         started        28 SystemPropertiesPerformance.exe 19->28         started        30 GamePanel.exe 19->30         started        32 14 other processes 19->32 signatures8 process9 signatures10 52 Contains functionality to automate explorer (e.g. start an application) 25->52

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Y7KrNvSxWx.dll65%VirustotalBrowse
            Y7KrNvSxWx.dll78%ReversingLabsWin64.Infostealer.Dridex
            Y7KrNvSxWx.dll100%AviraTR/Crypt.ZPACK.Gen
            Y7KrNvSxWx.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\KXZtu\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\KAG\SYSDM.CPL100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\mFxP\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5JXP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\5JXP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2oEy\TAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\KAG\SYSDM.CPL100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\KXZtu\dwmapi.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\KXZtu\dwmapi.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\KAG\SYSDM.CPL100%Joe Sandbox ML
            C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\mFxP\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5JXP\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\5JXP\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2oEy\TAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\KAG\SYSDM.CPL100%Joe Sandbox ML
            C:\Users\user\AppData\Local\KXZtu\dwmapi.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2oEy\tcmsetup.exe0%VirustotalBrowse
            C:\Users\user\AppData\Local\2oEy\tcmsetup.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\2oEy\tcmsetup.exe0%ReversingLabs
            C:\Users\user\AppData\Local\5JXP\iexpress.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\5JXP\iexpress.exe0%ReversingLabs
            C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exe0%ReversingLabs
            C:\Users\user\AppData\Local\IcLt\BdeUISrv.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\IcLt\BdeUISrv.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            40.2.upfc.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            20.2.bdeunlock.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            33.2.tcmsetup.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            17.2.SndVol.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            25.2.SystemPropertiesPerformance.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            38.2.BitLockerWizardElev.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            36.2.wscript.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            30.2.GamePanel.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.micro0%Avira URL Cloudsafe
            https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameD0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://mixer.com/api/v1/oauth/xbl/loginGamePanel.exefalse
              		high
              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.398986460.000000000095C000.00000004.00000020.sdmpfalse
                		high
                https://profile.xboxlive.com/users/me/profile/settings?settings=GameDisplayPicRawGamePanel.exefalse
                  		high
                  https://aka.ms/imrx2oGamePanel.exefalse
                    		high
                    https://mixer.com/_latest/assets/emoticons/%ls.pngGamePanel.exefalse
                      		high
                      https://mixer.com/api/v1/users/currentGamePanel.exefalse
                        		high
                        https://mixer.com/_latest/assets/emoticons/%ls.pngtitleIdaumIdkglIdprocessNamenametypeIdmultimediaGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                          		high
                          https://mixer.com/api/v1/broadcasts/currentGamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                            		high
                            https://mixer.com/%wsWindows.System.LauncherGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                              		high
                              https://aka.ms/v5do45GamePanel.exefalse
                                		high
                                https://mixer.com/api/v1/types/lookup%wsGamePanel.exefalse
                                  		high
                                  https://MediaData.XboxLive.com/broadcasts/Augmenthttps://MediaData.XboxLive.com/screenshots/AugmenthGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                    		high
                                    https://aka.ms/wk9ocdGamePanel.exe, GamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                      		high
                                      https://MediaData.XboxLive.com/broadcasts/AugmentGamePanel.exefalse
                                        		high
                                        https://aka.ms/imfx4kGamePanel.exefalse
                                          		high
                                          http://schemas.microSndVol.exe, 00000010.00000002.463303895.000002151D5A0000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.xboxlive.comMBI_SSLhttps://profile.xboxlive.com/users/me/profile/settings?settings=GameDGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://MediaData.XboxLive.com/gameclips/AugmentGamePanel.exefalse
                                            		high
                                            https://www.xboxlive.comGamePanel.exefalse
                                              		high
                                              https://mixer.com/api/v1/channels/%dGamePanel.exefalse
                                                		high
                                                https://mixer.com/api/v1/types/lookup%wshttps://mixer.com/api/v1/channels/%wshttps://mixer.com/api/vGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                                  		high
                                                  https://mixer.com/api/v1/channels/%wsGamePanel.exefalse
                                                    		high
                                                    https://mixer.com/api/v1/chats/%.0fhttps://mixer.com/api/v1/users/currentBEAM_IMAGEGamesGuide::BeamCGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                                      		high
                                                      https://MediaData.XboxLive.com/screenshots/AugmentGamePanel.exefalse
                                                        		high
                                                        https://mixer.com/api/v1/chats/%.0fGamePanel.exefalse
                                                          		high
                                                          https://aka.ms/ifg0esGamePanel.exefalse
                                                            		high
                                                            https://mixer.com/%wsGamePanel.exefalse
                                                              		high
                                                              https://aka.ms/w5ryqnhttps://aka.ms/imfx4kQUITTINGGamePanel.exe, 0000001E.00000002.574138111.00007FF71BB77000.00000002.00020000.sdmp, GamePanel.exe.4.drfalse
                                                                		high
                                                                https://aka.ms/w5ryqnGamePanel.exefalse
                                                                  		high

                                                                  Contacted IPs

                                                                  No contacted IP infos

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:492554
                                                                  Start date:28.09.2021
                                                                  Start time:20:04:54
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 15m 54s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:Y7KrNvSxWx (renamed file extension from none to dll)
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:41
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winDLL@52/25@0/0
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 21.1% (good quality ratio 11.8%)
                                                                  • Quality average: 44.8%
                                                                  • Quality standard deviation: 44.6%
                                                                  HCA Information:Failed
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Override analysis time to 240s for rundll32
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 20.82.210.154, 209.197.3.8, 20.199.120.151, 20.54.110.249, 20.199.120.85, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.35.236.56, 20.199.120.182, 204.79.197.200, 13.107.21.200
                                                                  • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtEnumerateKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\2oEy\TAPI32.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1257472
                                                                  Entropy (8bit):5.475685685411727
                                                                  Encrypted:false
                                                                  SSDEEP:12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:1F0F43376BD11D400DCCDDCD81B21F94
                                                                  SHA1:5EAA2AF81A4FE3BDE246B3FD7DF1CFC7D05A9A72
                                                                  SHA-256:6ED5FE6184CA21B30D493C05C4C87A56B921CC94958AE01E89E56D5E100049D9
                                                                  SHA-512:4224BE24874CD605E4662B124EF38A59E0278E6FAF8D21CB6DB4641C2C9942A40CA8E88CB58901E0087DDFDCF07CFDEE1BC2288CD20039789FB3AC931A91A110
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@.............................0......@lx}..b.............................................V....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):4.999998588063228
                                                                  Encrypted:false
                                                                  SSDEEP:192:DIzBdu2Mhf/+G1jQ0pwPYqLmdO0O7RgZiLtzADWO4hxDcUh6UdBndOvfSWG0oW:GMVJjQ0dg0O7yk5ciJcUhLiSWG0oW
                                                                  MD5:0DDA495155D552D024593C4B3246C8FA
                                                                  SHA1:7501A7AD5DAA41462BEFF9127154BAF261A24A5B
                                                                  SHA-256:D3074CBD29678CA612C1F8AA93DE1F5B75108BE8187F0F2A2331BC302AD48CD9
                                                                  SHA-512:9159D8AF457591256BA87443E89ECE942DE40B8FF39586116C2026330B8AE9C20F96905547E87D98508951D2B4687069EFD018CC9E4A6C94A6C26D4B587F41B3
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............Z...Z...Z..[...Z..[...Z..[...Z..[...Z...Z...Z..[...Z.:Z...Z..[...ZRich...Z................PE..d....E.H.........."..........,....... .........@..........................................`.......... .......................................9..x....p..P....`..D............... ....5..T............................0...............1...............................text............................... ..`.rdata..&....0......................@..@.data... ....P.......0..............@....pdata..D....`.......2..............@..@.rsrc...P....p.......4..............@..@.reloc.. ............>..............@..B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\5JXP\VERSION.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.4525540502592165
                                                                  Encrypted:false
                                                                  SSDEEP:12288:zVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ifP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:10C9880AF256B85D5A97543A9032990E
                                                                  SHA1:4D733236EDA9C1C78475ACF1B1288F62187F8FCA
                                                                  SHA-256:C28A08796B1EAEB99ED06084E855B205318C2339B44D15CB957CFF2050199218
                                                                  SHA-512:6A6A9F06F5401A2E740F3F4CD36255CF8CA8057BC3BFF43AA80023CFE00559DE709C440E1B4D32A31776427F39E2F41AE6D87687B7DF6BB775699649A682BC70
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\5JXP\iexpress.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):165888
                                                                  Entropy (8bit):6.756750968049146
                                                                  Encrypted:false
                                                                  SSDEEP:3072:oV6Rb3NlzO8Lwmq1cXNDnGOb+ahXNqJohePnq45L840:Y6TdOQXNDGOb+asEwv5L
                                                                  MD5:5EF563C2A4E7B7F4100ECD13B304FC48
                                                                  SHA1:4609D795D758A16B8703CA2E01F250D33816CB81
                                                                  SHA-256:2DFA704A6C0DAAEF91BEF043BA6E3F5B5D2516C97AFFBD39EC2C7278497B1688
                                                                  SHA-512:C372777121C0924519FC2EFDFF461B97B048D845AF14142680A4E95B9679D65583332788322CC87B98D3B1D8E28D0B1AFF74881B63BDA17434E4A8187B6D7CA9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.............d......d......d......d.............d......dd.....d.....Rich............................PE..d....1............"............................@.........................................`.......... ...................................................W...p..........................T...........................@...............@...(............................text............................... ..`.rdata...........0..................@..@.data...42...0......................@....pdata.......p.......&..............@..@.rsrc....W.......X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\FvTQVxZ\FileHistory.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):246784
                                                                  Entropy (8bit):6.054877934071265
                                                                  Encrypted:false
                                                                  SSDEEP:3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
                                                                  MD5:989B5BDB2BEAC9F894BBC236F1B67967
                                                                  SHA1:7B964642FEE2D6508E66C615AA6CF7FD95D6196E
                                                                  SHA-256:FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
                                                                  SHA-512:0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\FvTQVxZ\UxTheme.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.465059455756909
                                                                  Encrypted:false
                                                                  SSDEEP:12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:5DF5594539B2BE546567D24A31615566
                                                                  SHA1:96289E84A7565C8E5BB8342BD09023BA40D38F22
                                                                  SHA-256:C22641414C517DC57F59192D4B26514FD7173C16DB37FEE61C35C744AB9CDD01
                                                                  SHA-512:FAEEA042AE4CA60AAA52C1B6E92555309F1381EADA4E80D352CA8B1B95C861265B44AB888933F35554B6F47C8C2225353ED5820F829C884756A9386240EDA6A0
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\IcLt\BdeUISrv.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):52736
                                                                  Entropy (8bit):5.7946530792580475
                                                                  Encrypted:false
                                                                  SSDEEP:768:NS51B2sZMD1mYu/Lr7p0dHkf9abpWnGjTopPjZdWC2bNrHuOKAh/4J99j4ktPUww:J/Yn/Lr7qwYb7/oRjeJh2991t8Yte
                                                                  MD5:25D86BC656025F38D6E626B606F1D39D
                                                                  SHA1:673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D
                                                                  SHA-256:202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
                                                                  SHA-512:D4B4BC411B122499E611E1F9A45FD40EC2ABA23354F261D4668BF0578D30AEC5419568489261FC773ABBB350CC77C1E00F8E7C0B135A1FD4A9B6500825FA6E06
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..hw.;w.;w.;~.";u.;...:t.;...:`.;...:q.;...:d.;w.;..;...:..;..N;v.;...:v.;Richw.;................PE..d...X............."......v...\......0y.........@............................. ......Db....`.......... ......................................p...................................x......T............................................................................text...At.......v.................. ..`.rdata...3.......4...z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\IcLt\WTSAPI32.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.461750054653759
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:7E325FBCE0C44335A3D0A1A8F2145EAB
                                                                  SHA1:916B0D89C40D3D3E4C6611F05BDB88826AD4D92B
                                                                  SHA-256:6713740BA566CB93B7DD769B45F87B808AA1DA40FC273F3FA0B34D81329C88BE
                                                                  SHA-512:6F3D574D1DC2435CD142043887D87B30A5B45E0D18BD370629A2FC3F371E75072C82B531909689D23B46B52E444F00C3ED16954C1F204DD9A7A4EEF74F8213BE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\KAG\SYSDM.CPL
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.451863471275378
                                                                  Encrypted:false
                                                                  SSDEEP:12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:785FAB922A3D502B0BEA7ED0FA1A0A3D
                                                                  SHA1:622860AC01B70DA59EE4D8989B7DD2B2CA1AE591
                                                                  SHA-256:48070254D0EB21C9312FD4996A4DD9E4519478A4585634C7B513538DC2C9E5D5
                                                                  SHA-512:B71C9940A2957DC7E4B05F10479BCD80E5F0B6901AD83F697D6A0BABB200EEE7A36BD3F71FF3CDB030118475898B8EEE8DA3D173C19236968110EE0F42DA805D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\KAG\SystemPropertiesDataExecutionPrevention.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):83968
                                                                  Entropy (8bit):7.070618238949574
                                                                  Encrypted:false
                                                                  SSDEEP:1536:9ulZctREC/rMcgEPJV+G57ThjEC0kzJP+V5Jk:KczECTMpuDhjRVJGe
                                                                  MD5:1A34577AEDE83993615D7F2E37024D4D
                                                                  SHA1:73B845775507B0754F55507DE8250025E17A353F
                                                                  SHA-256:B3E7E41DBFC4D7E91BA6C5AEB6FD2D4C7D1B05F93F24FD591FDA9B0342761FA2
                                                                  SHA-512:703085DED509130ECE0430A27840A6648807639FF2AE1B4519C07FD13A9990D3FFEDD9B5F69FB5265B7067EC5BCF6C8B256C0F6EDF58E54EC678CC5E0ECE9205
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d...76..........."..........>.................@.....................................a....`.......... .......................................&.......P...'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..F.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc....'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\KXZtu\SndVol.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):259904
                                                                  Entropy (8bit):5.955701055747905
                                                                  Encrypted:false
                                                                  SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
                                                                  MD5:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                  SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
                                                                  SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
                                                                  SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
                                                                  Malicious:true
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\KXZtu\dwmapi.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.459202568986086
                                                                  Encrypted:false
                                                                  SSDEEP:12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:8567748CEEF8C27F7F9D2CC01C7FF8D8
                                                                  SHA1:54E17D05356982196640F79E7CA4E52EA39810BA
                                                                  SHA-256:5B901C10F6E9BE30CCFE17A8B4E2E2441B8760FC2FFAB75E023B8F8B20F7541F
                                                                  SHA-512:2DE32997A489520D7653206526853EDAC727DA0FE178E21103B589BD1E7742868C48B20EE204B683F806D5E7D1CF852DECBC32D75C2B326D29106321E028D70A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\NakOm\VERSION.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.452577152333679
                                                                  Encrypted:false
                                                                  SSDEEP:12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:D111BFD3EEFF105A44B0B0F29184BA99
                                                                  SHA1:6DE0946646FB368B151628F4C89D8D2F2710D5C1
                                                                  SHA-256:0D9841379883D8FC6AECC01FA209FC1DDDC5534F04BE2C8EAB84671C8193F62B
                                                                  SHA-512:8A1FAEF5D1801C15220D29D6386ECB3177203BC72A9395FCDCD666E72ACDD2B6F3429B4BF2ABD6153909E380D9F62AC831DCA79B61264998835C0097D3B0B50D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b.............................................+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\NakOm\wscript.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):163840
                                                                  Entropy (8bit):5.729539450068024
                                                                  Encrypted:false
                                                                  SSDEEP:1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
                                                                  MD5:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                  SHA1:2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
                                                                  SHA-256:62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
                                                                  SHA-512:156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):101888
                                                                  Entropy (8bit):6.95002760620154
                                                                  Encrypted:false
                                                                  SSDEEP:3072:k8kEZwnVS570M9kdatGCO+xmBc+hMPhPsx:1khVs7nyatGt+SYF
                                                                  MD5:3104EA9ECCA9ED71A382CCAAD618CEAE
                                                                  SHA1:9277108B7254F0C5BD241C2643902378925A8F9C
                                                                  SHA-256:D8CB004D4E8894AB4CA769C3CEC9A37B7FAB336DCDA1E6E9A15975DC64CEF370
                                                                  SHA-512:27C84C35461E37557BA27A7D9E9F86A47686DE73DDC74E001777F11EA8D5BE9B17604403875CF20124595010477F6F2ADDD797B9ACED79C514AEF2D2F1A019B7
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.`M.h3M.h3M.h3"Jm2O.h3"Jk2O.h3"Jl2_.h3"Ji2F.h3M.i3}.h3"Ja2L.h3"J.3L.h3"Jj2L.h3RichM.h3........................PE..d....C............"............................@....................................0.....`.......... ......................................D,..x....`...c...P.................. ....(..T............................ ...............!...............................text............................... ..`.rdata....... ......................@..@.data........@.......$..............@....pdata.......P.......&..............@..@.rsrc....c...`...d...(..............@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Uh9eo\FVEWIZ.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.461597709510602
                                                                  Encrypted:false
                                                                  SSDEEP:12288:vVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:GfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:3C1D465503B713020F78BCAA49872555
                                                                  SHA1:4C71E3773BA876868E0B0E1A780B088CC30B1F85
                                                                  SHA-256:D92C2EE583FCF742E9AC95FBEC82A44E9A577F5DAAEDCB21BC8559BEF43ABF27
                                                                  SHA-512:9C29500CCF6E64EB0CFE084ED073979A74803D9B50CB62D1CC172DE436E2E73905607C77CFC9455623A71E10671D049BAF37DE22B2D1B2D73148BBA71599B82D
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\UjbH0ZEv\SYSDM.CPL
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.451844365185671
                                                                  Encrypted:false
                                                                  SSDEEP:12288:wVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:1fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:BEF736598FD9DBF745B5463549E3BF27
                                                                  SHA1:7833E3221FDC65ED0DBA03C0934CE444DEBF0B4B
                                                                  SHA-256:AC621540B0F1E3F7EA98A020E97608E5E2B97C39C963F52CF6FF13EAF05CC4A3
                                                                  SHA-512:A520E95DB93716516AD3FEBF77E171B53623092408BC570D5C6DEC41DEEAE1D7CFDA92BFEC1F29E1037B985ECBB952E09167F1694B36B5D4A665801531E053EA
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):83968
                                                                  Entropy (8bit):7.071848641739436
                                                                  Encrypted:false
                                                                  SSDEEP:1536:5MVEZnXtREC/rMcgEPJV+G57ThjEC0kzJP+V5J9:3XzECTMpuDhjRVJGf
                                                                  MD5:F325976CDC0F7E9C680B51B35D24D23A
                                                                  SHA1:8BA00280B451378802DD2A06BB139B8BEA78C90C
                                                                  SHA-256:E24A61B15FD191DDC8A2CA82E22A759609E6099A832ADE0B5C0C6E0F1ABB05FE
                                                                  SHA-512:9D65A154758B5C38C09AACA1BB51E53FE6E8DEA374EAD88AEA33AB41525B3BB180211D6F6C93CA112197F7455842228960699DF471F47EE83DBC6CA59A5166EC
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.v..c...c...c.......c..n....c..n....c..n....c..n....c...c.."c..n....c..n...c..n....c..Rich.c..................PE..d...0............."..........>.................@.....................................s....`.......... ......................................<&.......P..P'...@.................. ....#..T............................ ...............!..H............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...P'...P...(..................@..@.reloc.. ............F..............@..B................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1292288
                                                                  Entropy (8bit):6.159394598062476
                                                                  Encrypted:false
                                                                  SSDEEP:24576:tg6uRV8QrFa8Zdntp/LEz2INhgITVXTvlHQroF:tgJVbFaqtpDEznyQVjvZQroF
                                                                  MD5:4EF330EFAE954723B1F2800C15FDA7EB
                                                                  SHA1:3E152C0B10E107926D6A213C882C161D80B836C9
                                                                  SHA-256:0494166D4AE6BB7925E4F57BB6DFAC629C95AE9E03DFC925F8232893236BD982
                                                                  SHA-512:C122CD7A245EF6A6A7B7DECAB6500BDC11E4C57B8E35F8462CC0615E44E54071E6BF79B69BB8519470ACBAF0D2E62ABC45C38CBF0606261792EDB4A84790EC61
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.ur.`.!.`.!.`.!...!P`.!... .`.!... .`.!... 4`.!... 9`.!.`.!de.!... .`.!...!.`.!...!.`.!... .`.!Rich.`.!........PE..d................"......H..........0..........@.............................@....................... ...................................................u......`................:..p...T....................@..(...pp..............8@..H... ...@....................text....F.......H.................. ..`.imrsiv......`...........................rdata......p.......L..............@..@.data...............................@....pdata..`............~..............@..@.didat.......p......................@....rsrc....u.......v..................@..@.reloc...:.......<...|..............@..B................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\cZk0IMu\dwmapi.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.459256653240629
                                                                  Encrypted:false
                                                                  SSDEEP:12288:GVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:bfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:1B6EF09343061B200F166C0058B23AE5
                                                                  SHA1:1116742823038C9EDC5E29E5E12496C174A79F7A
                                                                  SHA-256:28F70C785ACFDF24D35ECA3849A3060A170A3B2B3ECE5D12F31C4B331EA7F145
                                                                  SHA-512:9A8B33D74DA4937344BD1DC693E779A559A5D2E6D5F93D37CFEDD0B61C59DCFFF708CF7616D873FA6F73A6DF76A6F7558DCD342497A256770780CBB42B1A4F7E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b.............................................&....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\mFxP\XmlLite.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1253376
                                                                  Entropy (8bit):5.451309586899805
                                                                  Encrypted:false
                                                                  SSDEEP:12288:GVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:bfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  MD5:3094332DF5A7FD0DC27350FA12555706
                                                                  SHA1:2130132D8DF6A2542B177CE2606160C393BD589F
                                                                  SHA-256:9108849AF9ADEDABFF5D60B3612711290F0F06CB2088A3D4F1D03D2408C2C168
                                                                  SHA-512:7CED590EF762A332FBB1536833DEADCF50ADD35E309D1DE5692FA1AED1E5F320CA32615BFD00E95E433550B45DB1DBBF113ED844CBEEE098014BCB6C96983540
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@............................. ......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\mFxP\upfc.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):110632
                                                                  Entropy (8bit):6.598198265862064
                                                                  Encrypted:false
                                                                  SSDEEP:1536:IJY1Xjv7mjVN0OpMSzkqkWHL9yBpDdv7M8T84Rrrjbk9RP+S+sjT6NfPN:IJYtmj6C7HRM9S0trvkPHDjT6NfV
                                                                  MD5:4CEED46DDAB911AE1298422BFB12460C
                                                                  SHA1:2A3BFED90C680FC78E229091B6786AAF9655AA6B
                                                                  SHA-256:1A20F7A7BBAF5B7D4435471A2CF3EC96787B068F1A63CAA5DEDC52B8FAAA60C8
                                                                  SHA-512:AD49E1E2D5B0A21AD6F4B1A421659E5B743DF44F1272F5757C3772A9A5F7257C5938C864518F6A72BAE80E5CBE489544F9F4C4067A597CE8EFE67E2357C3B6B4
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s....Z...Z...Z..Z..Z...Z...Z...[...Z...[...Z...[...Z...[...Z...Z...Z...Z...Z...[...ZRich...Z........PE..d...X%@\..........".................P..........@.........................................`.......... ......................................Hw..................H.......(&......T....b..T............................#...............$...............................text............................... ..`.rdata...k... ...l..................@..@.data...h............t..............@....pdata..H............x..............@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\mlAKVTuFf\DUser.dll
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1257472
                                                                  Entropy (8bit):5.458454067792567
                                                                  Encrypted:false
                                                                  SSDEEP:12288:iVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1+:/fP7fWsK5z9A+WGAW+V5SB6Ct4bnb+
                                                                  MD5:B02754D536507A54F3A3F136B7BE88FF
                                                                  SHA1:6E6497990A24673082451ADF644B862782593C57
                                                                  SHA-256:7F655543CD3FC9BD30CBF0FE12299A34DF1E676657B57787DEE156BC1DF576AA
                                                                  SHA-512:B7739F0FDD505C97F523A870744194947E33344F2D5EB8E381EE9D93DB0E97FE98C75245C239A85B3F815870A83BA1B9C3E26D970E1E73B5F5CD9D9FB897FA06
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.&..DN^.........." ................p..........@.............................0......@lx}..b..................................................c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
                                                                  C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):286232
                                                                  Entropy (8bit):6.926729215014979
                                                                  Encrypted:false
                                                                  SSDEEP:6144:jjJkzmZ4CSal+EH+pDQh01TXRYJWEmTKBKt1Vs7nyatGt+SYFmW2kb/:jtgmSdal+EH+5QhWEmTKB2H+S+7b/
                                                                  MD5:FAB70105E2075EEC9C249A4D499CAE7C
                                                                  SHA1:B5B4216725F55A4E6AF9FB0BB7E0167CEED6081F
                                                                  SHA-256:7EA89BE1BBA6A7C2B08D70FA8E4CF036CB086ED162BCD22255E2BC0F926B22B2
                                                                  SHA-512:96327DEC3BCEE7A9934AAF27F1942030D46CEE693AF2562EE4972D5306DD3AD14F404762B99E581C0F0F563610EA097372044890EB19CE1C7A8F535A78D9E19A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..A~.~.~.~.~.~.w...v.~...}.}.~...z.l.~...{.x.~.....g.~.~.....~...w.i.~...~...~.......~...|...~.Rich~.~.........................PE..d....X............"......D..........pJ.........@....................................i................ ..................................P......T........x...........2...,......t.......T............................t...............u...............................text...PB.......D.................. ..`.imrsiv......`...........................rdata...c...p...d...H..............@..@.data...............................@....pdata..............................@..@.rsrc....x.......z..................@..@.reloc..t............0..............@..B........................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                  Process:C:\Windows\explorer.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4457
                                                                  Entropy (8bit):5.473312982000721
                                                                  Encrypted:false
                                                                  SSDEEP:96:xCOIz7wXyo8LqnOwzUbBCOIzO/Xj/w6OTmcLPxXS:0OIBgzwEOIEkRLRS
                                                                  MD5:2353DF7BE15A7D7836D6888AA678A989
                                                                  SHA1:A71A7834F1BA6097698B00A2657008E5ACE3C83B
                                                                  SHA-256:2BBF137AC5EB8418152EDE398C09325FA06065E92B4E1DB92B11D3A596159338
                                                                  SHA-512:EAC02C23E43916857946888DBA8EDEEC70D14447272272A0CDC831CD01D97015D502BE2D711A12751DB460B1F91E896900A28F8AE0A0B14844EBC9A4F9B2DB97
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ........................................user.........................................user.....................RSA1.................l..'.ZN.....9q8.w.Bo.....k.[..#.4..JZ...pJ.+..{{.v..T..^..?"...!.#.....M.`.VZ.?|...qn.I....B....8_3)S...L....A.{..k.1.xW.....................z..O.......C..J.QD.1..........,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...>M.K.(...\...p.hh].xC.....zrjg............ ......a.,d.s.|_Y.).c..{......C..c............P.....r..T\~.1# h.<Fg.v..t....].Vw...P.L`h..M..w......w9.l..i.QU/...p.o....>.[..e...F.K=._-........*..o9]..v'S%j6.&'..6..t..........y....xi..j.7g.E%.....f.Zem..{``(.".'...~.U..V)...R..U l.*n..hV.......f..5...L.f.......F.B. ..X........R..B...Q.h`...d.+..../.>|.Qw.....Hd>......r..A.d.....R..7...G..v.....(......K.p.h........."0;e.0K.L.&~C..E.0a.............._.d|.l.K.L..*...6..".,Bv*kk.5.c&j]U.s.U.n_.q.|G.-.W.Y_.....).....|.1...'....x..."...YtO*C=6......I2r.@.B.^.3..1.G.Vd.._".Zv.Q...b"~..&QSc.z dA..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Entropy (8bit):5.487493969044098
                                                                  TrID:
                                                                  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                  • Win64 Executable (generic) (12005/4) 10.17%
                                                                  • Generic Win/DOS Executable (2004/3) 1.70%
                                                                  • DOS Executable Generic (2002/1) 1.70%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                  File name:Y7KrNvSxWx.dll
                                                                  File size:1249280
                                                                  MD5:ecdfff8b0ece2175cd699e690de1fcaf
                                                                  SHA1:9359770d71e743832ca22597db917dfa817038b2
                                                                  SHA256:dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3
                                                                  SHA512:106ecdecdc64b395ae74fd231dc858f0c18a75baba52729ec928451884462d7f5e828f20dd0de3fc750c817d96461708030679873d7a675327b35f51bb8fcc3d
                                                                  SSDEEP:12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

                                                                  File Icon

                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x140041070
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x140000000
                                                                  Subsystem:windows cui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                  Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:6668be91e2c948b183827f040944057f

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  xor eax, eax
                                                                  dec eax
                                                                  add eax, 5Ah
                                                                  dec eax
                                                                  mov dword ptr [00073D82h], ecx
                                                                  dec eax
                                                                  lea ecx, dword ptr [FFFFECABh]
                                                                  dec eax
                                                                  mov dword ptr [00073D7Ch], edx
                                                                  dec eax
                                                                  add eax, ecx
                                                                  dec esp
                                                                  mov dword ptr [00073D92h], ecx
                                                                  dec esp
                                                                  mov dword ptr [00073DA3h], ebp
                                                                  dec esp
                                                                  mov dword ptr [00073D7Ch], eax
                                                                  dec esp
                                                                  mov dword ptr [00073D85h], edi
                                                                  dec esp
                                                                  mov dword ptr [00073D86h], esi
                                                                  dec esp
                                                                  mov dword ptr [00073D8Fh], esp
                                                                  dec eax
                                                                  mov ecx, eax
                                                                  dec eax
                                                                  sub ecx, 5Ah
                                                                  dec eax
                                                                  mov dword ptr [00073D89h], esi
                                                                  dec eax
                                                                  test eax, eax
                                                                  je 00007F47CCA5E86Fh
                                                                  dec eax
                                                                  mov dword ptr [00073D45h], esp
                                                                  dec eax
                                                                  mov dword ptr [00073D36h], ebp
                                                                  dec eax
                                                                  mov dword ptr [00073D7Fh], ebx
                                                                  dec eax
                                                                  mov dword ptr [00073D70h], edi
                                                                  dec eax
                                                                  test eax, eax
                                                                  je 00007F47CCA5E84Eh
                                                                  jmp ecx
                                                                  dec eax
                                                                  add edi, ecx
                                                                  dec eax
                                                                  mov dword ptr [FFFFEC37h], ecx
                                                                  dec eax
                                                                  xor ecx, eax
                                                                  jmp ecx
                                                                  retn 0008h
                                                                  ud2
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push ebx
                                                                  dec eax
                                                                  sub esp, 00000080h
                                                                  mov eax, F957B016h
                                                                  mov byte ptr [esp+7Fh], 00000037h
                                                                  mov edx, dword ptr [esp+78h]
                                                                  inc ecx
                                                                  mov eax, edx
                                                                  inc ecx
                                                                  or eax, 5D262B0Ch
                                                                  inc esp
                                                                  mov dword ptr [esp+78h], eax
                                                                  dec eax
                                                                  mov dword ptr [eax+eax+00h], 00000000h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [LNK] VS2012 UPD4 build 61030
                                                                  • [ASM] VS2013 UPD2 build 30501
                                                                  • [ C ] VS2012 UPD2 build 60315
                                                                  • [C++] VS2013 UPD4 build 31101
                                                                  • [RES] VS2012 UPD3 build 60610
                                                                  • [LNK] VS2017 v15.5.4 build 25834
                                                                  • [ C ] VS2017 v15.5.4 build 25834
                                                                  • [ASM] VS2010 build 30319
                                                                  • [EXP] VS2015 UPD1 build 23506
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [RES] VS2012 UPD4 build 61030
                                                                  • [LNK] VS2012 UPD2 build 60315
                                                                  • [C++] VS2015 UPD1 build 23506
                                                                  • [ C ] VS2013 UPD4 build 31101

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x12f0100x1268.wguyua
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x420000x64fcb0x65000False0.702262047494data7.86510283498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                  .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .wnx0x10e0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .weqy0x10f0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .yby0x1100000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .ormx0x1120000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .dhclu0x1130000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .xmiul0x1140000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .tlwcxe0x1150000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .get0x1160000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .hzrd0x1170000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .gulz0x1190000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .ybavfq0x11b0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .hzccq0x11c0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .kmnqh0x11e0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .sqadf0x11f0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .uans0x1200000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .gelkgq0x1220000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .jbviw0x1230000x21b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .ypg0x1240000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .qqs0x1250000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .dsy0x1260000x2a20x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .fgy0x1270000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .onfp0x1280000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .clcj0x1290000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .fhc0x12b0000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .ghxb0x12c0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .icyh0x12d0000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .wguyua0x12f0000x12780x2000False0.28125data3.91163132638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_VERSION0xc00a00x370dataEnglishUnited States
                                                                  RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
                                                                  SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
                                                                  KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
                                                                  GDI32.dllCreateBitmapIndirect, GetPolyFillMode
                                                                  CRYPT32.dllCertGetCTLContextProperty
                                                                  ADVAPI32.dllAddAccessDeniedObjectAce
                                                                  SHLWAPI.dllChrCmpIW

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  CloseDriver40x140002d48
                                                                  DefDriverProc50x140035980
                                                                  DriverCallback60x14003bf0c
                                                                  DrvGetModuleHandle70x14003ddc0
                                                                  GetDriverModuleHandle80x140027a24
                                                                  OpenDriver90x14001106c
                                                                  PlaySound100x14000cbd8
                                                                  PlaySoundA110x14002c928
                                                                  PlaySoundW120x14000521c
                                                                  SendDriverMessage130x14003bb44
                                                                  WOWAppExit140x14003fae8
                                                                  auxGetDevCapsA150x14001dea8
                                                                  auxGetDevCapsW160x14001b8f0
                                                                  auxGetNumDevs170x14001ac60
                                                                  auxGetVolume180x14001fdd8
                                                                  auxOutMessage190x14003df54
                                                                  auxSetVolume200x14003fba0
                                                                  joyConfigChanged210x140013908
                                                                  joyGetDevCapsA220x14002e290
                                                                  joyGetDevCapsW230x1400070ac
                                                                  joyGetNumDevs240x140032f50
                                                                  joyGetPos250x14002846c
                                                                  joyGetPosEx260x140030910
                                                                  joyGetThreshold270x140014c88
                                                                  joyReleaseCapture280x14003d77c
                                                                  joySetCapture290x140038e80
                                                                  joySetThreshold300x1400293a4
                                                                  mciDriverNotify310x14001d6a4
                                                                  mciDriverYield320x14003aa34
                                                                  mciExecute30x140039240
                                                                  mciFreeCommandResource330x14003f130
                                                                  mciGetCreatorTask340x140020c3c
                                                                  mciGetDeviceIDA350x140031974
                                                                  mciGetDeviceIDFromElementIDA360x14002ee64
                                                                  mciGetDeviceIDFromElementIDW370x14002dd2c
                                                                  mciGetDeviceIDW380x140030e40
                                                                  mciGetDriverData390x14003bc28
                                                                  mciGetErrorStringA400x14002e2a0
                                                                  mciGetErrorStringW410x14002ecc4
                                                                  mciGetYieldProc420x140029898
                                                                  mciLoadCommandResource430x1400229b0
                                                                  mciSendCommandA440x14000853c
                                                                  mciSendCommandW450x14000cc00
                                                                  mciSendStringA460x140028d90
                                                                  mciSendStringW470x140016548
                                                                  mciSetDriverData480x14003c910
                                                                  mciSetYieldProc490x140030648
                                                                  midiConnect500x14003363c
                                                                  midiDisconnect510x140025cf8
                                                                  midiInAddBuffer520x14003a99c
                                                                  midiInClose530x140031314
                                                                  midiInGetDevCapsA540x140032024
                                                                  midiInGetDevCapsW550x14001c7a0
                                                                  midiInGetErrorTextA560x14000e864
                                                                  midiInGetErrorTextW570x14003a20c
                                                                  midiInGetID580x1400050b8
                                                                  midiInGetNumDevs590x1400034ac
                                                                  midiInMessage600x14002cf28
                                                                  midiInOpen610x140021550
                                                                  midiInPrepareHeader620x1400246f0
                                                                  midiInReset630x140018964
                                                                  midiInStart640x14002abd8
                                                                  midiInStop650x14003f8d0
                                                                  midiInUnprepareHeader660x140038b6c
                                                                  midiOutCacheDrumPatches670x140037cb0
                                                                  midiOutCachePatches680x140020d20
                                                                  midiOutClose690x14003b05c
                                                                  midiOutGetDevCapsA700x140003800
                                                                  midiOutGetDevCapsW710x14000235c
                                                                  midiOutGetErrorTextA720x140026120
                                                                  midiOutGetErrorTextW730x14000f05c
                                                                  midiOutGetID740x14002c3f4
                                                                  midiOutGetNumDevs750x14002bb1c
                                                                  midiOutGetVolume760x140014b84
                                                                  midiOutLongMsg770x14000bd0c
                                                                  midiOutMessage780x1400208f8
                                                                  midiOutOpen790x14003b790
                                                                  midiOutPrepareHeader800x14001516c
                                                                  midiOutReset810x1400158cc
                                                                  midiOutSetVolume820x14003f478
                                                                  midiOutShortMsg830x1400071fc
                                                                  midiOutUnprepareHeader840x14002c238
                                                                  midiStreamClose850x14003b220
                                                                  midiStreamOpen860x1400220cc
                                                                  midiStreamOut870x1400152d0
                                                                  midiStreamPause880x14003706c
                                                                  midiStreamPosition890x14003cb48
                                                                  midiStreamProperty900x140021914
                                                                  midiStreamRestart910x14002a110
                                                                  midiStreamStop920x14003e930
                                                                  mixerClose930x14001d760
                                                                  mixerGetControlDetailsA940x14003b398
                                                                  mixerGetControlDetailsW950x14001b6e4
                                                                  mixerGetDevCapsA960x140028510
                                                                  mixerGetDevCapsW970x140039a8c
                                                                  mixerGetID980x140027c78
                                                                  mixerGetLineControlsA990x14001b870
                                                                  mixerGetLineControlsW1000x140014c50
                                                                  mixerGetLineInfoA1010x14004024c
                                                                  mixerGetLineInfoW1020x14003893c
                                                                  mixerGetNumDevs1030x14002cb94
                                                                  mixerMessage1040x14003d9b0
                                                                  mixerOpen1050x14001a8a4
                                                                  mixerSetControlDetails1060x140001604
                                                                  mmDrvInstall1070x140004fa0
                                                                  mmGetCurrentTask1080x140035e80
                                                                  mmTaskBlock1090x1400030a0
                                                                  mmTaskCreate1100x14003f038
                                                                  mmTaskSignal1110x14001ef60
                                                                  mmTaskYield1120x14000c638
                                                                  mmioAdvance1130x14002ee80
                                                                  mmioAscend1140x140005190
                                                                  mmioClose1150x14001e998
                                                                  mmioCreateChunk1160x1400260dc
                                                                  mmioDescend1170x140039708
                                                                  mmioFlush1180x140040a64
                                                                  mmioGetInfo1190x14001fe60
                                                                  mmioInstallIOProcA1200x14003cff0
                                                                  mmioInstallIOProcW1210x14003bac0
                                                                  mmioOpenA1220x1400115d4
                                                                  mmioOpenW1230x14000baa4
                                                                  mmioRead1240x140011994
                                                                  mmioRenameA1250x140008c18
                                                                  mmioRenameW1260x140039edc
                                                                  mmioSeek1270x140034de8
                                                                  mmioSendMessage1280x140014268
                                                                  mmioSetBuffer1290x140033d6c
                                                                  mmioSetInfo1300x14000d6a4
                                                                  mmioStringToFOURCCA1310x14002eae0
                                                                  mmioStringToFOURCCW1320x140025fa0
                                                                  mmioWrite1330x14001c654
                                                                  mmsystemGetVersion1340x140035814
                                                                  sndPlaySoundA1350x140029f1c
                                                                  sndPlaySoundW1360x14001b428
                                                                  timeBeginPeriod1370x14001043c
                                                                  timeEndPeriod1380x14000fc90
                                                                  timeGetDevCaps1390x140017698
                                                                  timeGetSystemTime1400x140021c88
                                                                  timeGetTime1410x140007108
                                                                  timeKillEvent1420x14001d81c
                                                                  timeSetEvent1430x140021db0
                                                                  waveInAddBuffer1440x1400349ac
                                                                  waveInClose1450x14000cef8
                                                                  waveInGetDevCapsA1460x140002e58
                                                                  waveInGetDevCapsW1470x1400209d8
                                                                  waveInGetErrorTextA1480x140035a98
                                                                  waveInGetErrorTextW1490x14000ee9c
                                                                  waveInGetID1500x14002bec8
                                                                  waveInGetNumDevs1510x14003d4b0
                                                                  waveInGetPosition1520x1400268a8
                                                                  waveInMessage1530x14000b7f4
                                                                  waveInOpen1540x14001e880
                                                                  waveInPrepareHeader1550x140015be4
                                                                  waveInReset1560x14003f794
                                                                  waveInStart1570x14002a7c0
                                                                  waveInStop1580x14000b974
                                                                  waveInUnprepareHeader1590x1400220e0
                                                                  waveOutBreakLoop1600x14003d068
                                                                  waveOutClose1610x1400074dc
                                                                  waveOutGetDevCapsA1620x140004c64
                                                                  waveOutGetDevCapsW1630x140032ba4
                                                                  waveOutGetErrorTextA1640x140020ca0
                                                                  waveOutGetErrorTextW1650x14001b1dc
                                                                  waveOutGetID1660x1400376e0
                                                                  waveOutGetNumDevs1670x1400133b8
                                                                  waveOutGetPitch1680x140012324
                                                                  waveOutGetPlaybackRate1690x14000a7c8
                                                                  waveOutGetPosition1700x14002624c
                                                                  waveOutGetVolume1710x14000f0b8
                                                                  waveOutMessage1720x14001e4a4
                                                                  waveOutOpen1730x14000da84
                                                                  waveOutPause1740x14002c6f0
                                                                  waveOutPrepareHeader1750x14000ecc8
                                                                  waveOutReset1760x140004b34
                                                                  waveOutRestart1770x1400084bc
                                                                  waveOutSetPitch1780x1400361d4
                                                                  waveOutSetPlaybackRate1790x14000f85c
                                                                  waveOutSetVolume1800x14002a768
                                                                  waveOutUnprepareHeader1810x140034064
                                                                  waveOutWrite1820x14001d4e4

                                                                  Version Infos

                                                                  DescriptionData
                                                                  LegalCopyright Microsoft Corporation. All rights reserv
                                                                  InternalNamebitsp
                                                                  FileVersion7.5.7600.16385 (win7_rtm.090713-
                                                                  CompanyNameMicrosoft Corporati
                                                                  ProductNameMicrosoft Windows Operating S
                                                                  ProductVersion6.1.7600
                                                                  FileDescriptionBackground Intellig
                                                                  OriginalFilenamekbdy
                                                                  Translation0x0409 0x04b0

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 28, 2021 20:06:21.952363014 CEST6379153192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:21.971919060 CEST53637918.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:40.524724007 CEST6426753192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:40.544260979 CEST53642678.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:43.006911993 CEST4944853192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:43.232157946 CEST53494488.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:45.246025085 CEST6034253192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:45.270004034 CEST53603428.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:46.436935902 CEST6134653192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:46.454802990 CEST53613468.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:46.701442003 CEST5177453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:46.721107006 CEST53517748.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:47.588215113 CEST5602353192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:47.745488882 CEST53560238.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:49.062657118 CEST5838453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:49.085962057 CEST53583848.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:49.159328938 CEST6026153192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:49.192854881 CEST53602618.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:50.268390894 CEST5606153192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:50.287950039 CEST53560618.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:51.053606987 CEST5833653192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:51.143127918 CEST53583368.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:51.805183887 CEST5378153192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:51.825027943 CEST53537818.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:53.855691910 CEST5406453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:53.881459951 CEST53540648.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:54.184530973 CEST5281153192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:54.212464094 CEST53528118.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:54.753550053 CEST5529953192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:54.776381016 CEST53552998.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:55.292486906 CEST6374553192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:55.313014984 CEST53637458.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:06:55.899079084 CEST5005553192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:06:55.918634892 CEST53500558.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:03.219135046 CEST6137453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:03.248076916 CEST53613748.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:13.503293037 CEST5033953192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:13.523312092 CEST53503398.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:16.161643028 CEST6330753192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:16.188590050 CEST53633078.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:25.112560987 CEST4969453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:25.138739109 CEST53496948.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:29.467209101 CEST5498253192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:29.503209114 CEST53549828.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:31.029936075 CEST5001053192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:31.057282925 CEST53500108.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:39.868495941 CEST6371853192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:39.886641979 CEST53637188.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:07:48.845052958 CEST6211653192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:07:48.879894972 CEST53621168.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:08:02.197958946 CEST6381653192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:08:02.245227098 CEST53638168.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:08:25.035016060 CEST5501453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:08:25.055061102 CEST53550148.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:08:47.632755995 CEST6220853192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:08:47.667637110 CEST53622088.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:08:50.334924936 CEST5757453192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:08:50.357808113 CEST53575748.8.8.8192.168.2.6
                                                                  Sep 28, 2021 20:09:23.702172995 CEST5181853192.168.2.68.8.8.8
                                                                  Sep 28, 2021 20:09:23.721678019 CEST53518188.8.8.8192.168.2.6

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: loaddll64.exe PID: 2288 Parent PID: 6428

                                                                  General

                                                                  Start time:20:05:54
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\loaddll64.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:loaddll64.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll'
                                                                  Imagebase:0x7ff764910000
                                                                  File size:1136128 bytes
                                                                  MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.377190564.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Reputation:moderate

                                                                  Analysis Process: cmd.exe PID: 2468 Parent PID: 2288

                                                                  General

                                                                  Start time:20:05:55
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
                                                                  Imagebase:0x7ff7180e0000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: rundll32.exe PID: 6724 Parent PID: 2288

                                                                  General

                                                                  Start time:20:05:55
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,CloseDriver
                                                                  Imagebase:0x7ff79a230000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.456385826.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Analysis Process: rundll32.exe PID: 6964 Parent PID: 2468

                                                                  General

                                                                  Start time:20:05:55
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe 'C:\Users\user\Desktop\Y7KrNvSxWx.dll',#1
                                                                  Imagebase:0x7ff79a230000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.355433336.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Analysis Process: explorer.exe PID: 3440 Parent PID: 6724

                                                                  General

                                                                  Start time:20:05:57
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0x7ff6f22f0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Analysis Process: rundll32.exe PID: 6676 Parent PID: 2288

                                                                  General

                                                                  Start time:20:05:59
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DefDriverProc
                                                                  Imagebase:0x7ff79a230000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.363238472.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Analysis Process: rundll32.exe PID: 2904 Parent PID: 2288

                                                                  General

                                                                  Start time:20:06:02
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\Y7KrNvSxWx.dll,DriverCallback
                                                                  Imagebase:0x7ff79a230000
                                                                  File size:69632 bytes
                                                                  MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.370198156.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Analysis Process: SndVol.exe PID: 2176 Parent PID: 3440

                                                                  General

                                                                  Start time:20:06:46
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\SndVol.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\SndVol.exe
                                                                  Imagebase:0x7ff7da4c0000
                                                                  File size:259904 bytes
                                                                  MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  Analysis Process: SndVol.exe PID: 2444 Parent PID: 3440

                                                                  General

                                                                  Start time:20:06:48
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\KXZtu\SndVol.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\KXZtu\SndVol.exe
                                                                  Imagebase:0x7ff6249b0000
                                                                  File size:259904 bytes
                                                                  MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.488077444.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: bdeunlock.exe PID: 6612 Parent PID: 3440

                                                                  General

                                                                  Start time:20:06:59
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\bdeunlock.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\bdeunlock.exe
                                                                  Imagebase:0x7ff7fd2d0000
                                                                  File size:286232 bytes
                                                                  MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: bdeunlock.exe PID: 6604 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:00
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\mlAKVTuFf\bdeunlock.exe
                                                                  Imagebase:0x7ff68d870000
                                                                  File size:286232 bytes
                                                                  MD5 hash:FAB70105E2075EEC9C249A4D499CAE7C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.514246640.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: SystemPropertiesPerformance.exe PID: 5548 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:12
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\SystemPropertiesPerformance.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\SystemPropertiesPerformance.exe
                                                                  Imagebase:0x7ff6c5320000
                                                                  File size:83968 bytes
                                                                  MD5 hash:F325976CDC0F7E9C680B51B35D24D23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: SystemPropertiesPerformance.exe PID: 5532 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:13
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\UjbH0ZEv\SystemPropertiesPerformance.exe
                                                                  Imagebase:0x7ff6a7b90000
                                                                  File size:83968 bytes
                                                                  MD5 hash:F325976CDC0F7E9C680B51B35D24D23A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.545893721.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: GamePanel.exe PID: 5824 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:26
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\GamePanel.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\GamePanel.exe
                                                                  Imagebase:0x7ff7c2e80000
                                                                  File size:1292288 bytes
                                                                  MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: GamePanel.exe PID: 6444 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:26
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\cZk0IMu\GamePanel.exe
                                                                  Imagebase:0x7ff71bac0000
                                                                  File size:1292288 bytes
                                                                  MD5 hash:4EF330EFAE954723B1F2800C15FDA7EB
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.571934505.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: tcmsetup.exe PID: 3324 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:39
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\tcmsetup.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\tcmsetup.exe
                                                                  Imagebase:0x7ff7d6bb0000
                                                                  File size:16384 bytes
                                                                  MD5 hash:0DDA495155D552D024593C4B3246C8FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: tcmsetup.exe PID: 1916 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:39
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\2oEy\tcmsetup.exe
                                                                  Imagebase:0x7ff6e3310000
                                                                  File size:16384 bytes
                                                                  MD5 hash:0DDA495155D552D024593C4B3246C8FA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.598954103.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 0%, Virustotal, Browse
                                                                  • Detection: 0%, Metadefender, Browse
                                                                  • Detection: 0%, ReversingLabs

                                                                  Analysis Process: wscript.exe PID: 2584 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:51
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wscript.exe
                                                                  Imagebase:0x7ff7639c0000
                                                                  File size:163840 bytes
                                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: wscript.exe PID: 4312 Parent PID: 3440

                                                                  General

                                                                  Start time:20:07:52
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\NakOm\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\NakOm\wscript.exe
                                                                  Imagebase:0x7ff68af10000
                                                                  File size:163840 bytes
                                                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.625281639.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: BitLockerWizardElev.exe PID: 4640 Parent PID: 3440

                                                                  General

                                                                  Start time:20:08:05
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\BitLockerWizardElev.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\BitLockerWizardElev.exe
                                                                  Imagebase:0x7ff6283d0000
                                                                  File size:101888 bytes
                                                                  MD5 hash:3104EA9ECCA9ED71A382CCAAD618CEAE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: BitLockerWizardElev.exe PID: 1636 Parent PID: 3440

                                                                  General

                                                                  Start time:20:08:05
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\Uh9eo\BitLockerWizardElev.exe
                                                                  Imagebase:0x7ff6173e0000
                                                                  File size:101888 bytes
                                                                  MD5 hash:3104EA9ECCA9ED71A382CCAAD618CEAE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.654598508.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: upfc.exe PID: 5152 Parent PID: 3440

                                                                  General

                                                                  Start time:20:08:17
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\upfc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\upfc.exe
                                                                  Imagebase:0x7ff629050000
                                                                  File size:110632 bytes
                                                                  MD5 hash:4CEED46DDAB911AE1298422BFB12460C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Analysis Process: upfc.exe PID: 5816 Parent PID: 3440

                                                                  General

                                                                  Start time:20:08:18
                                                                  Start date:28/09/2021
                                                                  Path:C:\Users\user\AppData\Local\mFxP\upfc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Local\mFxP\upfc.exe
                                                                  Imagebase:0x7ff7299b0000
                                                                  File size:110632 bytes
                                                                  MD5 hash:4CEED46DDAB911AE1298422BFB12460C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.681547027.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

                                                                  Analysis Process: SystemPropertiesDataExecutionPrevention.exe PID: 6060 Parent PID: 3440

                                                                  General

                                                                  Start time:20:08:30
                                                                  Start date:28/09/2021
                                                                  Path:C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
                                                                  Imagebase:0x7ff7aec30000
                                                                  File size:83968 bytes
                                                                  MD5 hash:1A34577AEDE83993615D7F2E37024D4D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >