Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report yWteP7e12z

Overview

General Information

Sample Name:yWteP7e12z (renamed file extension from none to dll)
Analysis ID:492789
MD5:a75be08d11b5028b6e0fa8be59676599
SHA1:c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256:7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6928 cmdline: loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 4668 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4528 cmdline: rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4536 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • recdisc.exe (PID: 6628 cmdline: C:\Windows\system32\recdisc.exe MD5: D2AEFB37C329E455DC2C17D3AA049666)
        • SnippingTool.exe (PID: 7044 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • SnippingTool.exe (PID: 6200 cmdline: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • raserver.exe (PID: 3604 cmdline: C:\Windows\system32\raserver.exe MD5: DE2022F0B86E33875D8A40B65550CFEB)
        • raserver.exe (PID: 2992 cmdline: C:\Users\user\AppData\Local\eQL\raserver.exe MD5: DE2022F0B86E33875D8A40B65550CFEB)
        • ddodiag.exe (PID: 5808 cmdline: C:\Windows\system32\ddodiag.exe MD5: 3CE911D7C12A2EFA9108514013BD17FE)
        • ddodiag.exe (PID: 5828 cmdline: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe MD5: 3CE911D7C12A2EFA9108514013BD17FE)
        • dccw.exe (PID: 2364 cmdline: C:\Windows\system32\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)
        • SppExtComObj.Exe (PID: 6280 cmdline: C:\Windows\system32\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)
        • SppExtComObj.Exe (PID: 5620 cmdline: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)
        • WMPDMC.exe (PID: 6628 cmdline: C:\Windows\system32\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • WMPDMC.exe (PID: 6480 cmdline: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • wscript.exe (PID: 5532 cmdline: C:\Windows\system32\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • wscript.exe (PID: 5012 cmdline: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
        • BdeUISrv.exe (PID: 5368 cmdline: C:\Windows\system32\BdeUISrv.exe MD5: 25D86BC656025F38D6E626B606F1D39D)
        • BdeUISrv.exe (PID: 6080 cmdline: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe MD5: 25D86BC656025F38D6E626B606F1D39D)
    • rundll32.exe (PID: 6568 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3912 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 7 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: yWteP7e12z.dllVirustotal: Detection: 64%Perma Link
            Source: yWteP7e12z.dllReversingLabs: Detection: 77%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: yWteP7e12z.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: yWteP7e12z.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11E3A0 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11E530 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11CDC8 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,??3@YAXPEAX@Z,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11DE38 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11E22C CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479B90 CryptGenRandom,GetLastError,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479520 CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479F20 CryptAcquireContextW,GetLastError,
            Source: yWteP7e12z.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
            Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
            Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
            Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
            Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
            Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
            Source: Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
            Source: Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
            Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
            Source: Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
            Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
            Source: Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B612AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D0437A8 OpenClipboard,GetLastError,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

            System Summary:

            barindex
            PE file contains section with special charsShow sources
            Source: SppExtComObj.Exe.5.drStatic PE information: section name: ?g_Encry
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D058A64
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04AE80
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D045EBC
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D048D50
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D049978
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D0539A8
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D054598
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D0429F4
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D041600
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D05C470
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D06EC80
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D0458C0
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04250C
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D05EF38
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D049338
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D041F60
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04EB98
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D05F3CC
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D059008
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D055FF8
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E119740
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E111FA4
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E1177B4
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E117008
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E1183E0
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11C87C
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11B4DC
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11BD30
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11A9AC
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E119DAC
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E112A08
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11D2B0
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11A2EC
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeCode function: 28_2_00007FF7409826A0
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeCode function: 28_2_00007FF74098236C
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146CA30
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146BB70
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146B3B0
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146C690
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146CE10
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146B7A0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B62DC68
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B64FD30
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B691D00
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B645CD8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B5F7B78
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B63BB7C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67FC30
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6C5BB8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B647BC0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B621A98
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B5A90
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B695A78
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6ABA68
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B665AFC
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B601AF0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6499A0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6AD9F4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6520B4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B68003C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B011C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B5FE0FC
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B64A0E0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B6020
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B699FC8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B64BFB8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B1EA0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B66DE58
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6A5E48
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B69FE18
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6A94B4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67D490
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B673510
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6AD4D8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6174B8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6454BC
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6A33A0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B5FF35C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B63D310
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B63731C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B631320
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B61D2F8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6A52C0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6032CC
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B11B4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67F18C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67B140
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6C31F0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B5F4E60
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B65D1C0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B605930
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B633910
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B69B78C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B61976C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B175C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B63773C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67D820
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6957D8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6BD7D0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B65171C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B639590
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B64B610
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B65D5F4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67AC70
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B664D18
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B60AB3C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B61AB44
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B65CBE8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B602A84
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B644A8C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B646940
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B638A0C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B69A9D0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B65504C
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B698FA0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B624F80
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B630F54
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B61D034
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B664FFC
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B687000
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B68CE54
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B68AD78
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B620D50
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B67CD50
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B692E28
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6B0E08
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B632498
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6BC464
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B66E510
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B60C4F4
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B5F84E8
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B64A340
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B686428
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B68C3F0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B60A3F0
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6463C8
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E89321C4
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8931A34
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8925A34
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8926954
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E89291AC
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8927B1C
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892AE8C
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8930A94
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E893340C
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8931F68
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8928348
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E89234D8
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8931C9C
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E89314A0
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D62134
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D64500
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D638D0
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D62A9C
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D64D78
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D63F74
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: String function: 00007FF67B5F3240 appears 37 times
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: String function: 00007FF73D061454 appears 227 times
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: String function: 00007FF74E11FA1C appears 106 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF7914751E0 OpenEventW,NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480C90 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479440 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480CE0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479E57 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479EA0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479E13 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480820 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79147676C NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480780 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480721 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79147679C NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791480FA0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF7914807D0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage,
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: wscript.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: sethc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: sethc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: sethc.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: MusNotifyIcon.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: MusNotifyIcon.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: MusNotifyIcon.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: MusNotifyIcon.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: yWteP7e12z.dllStatic PE information: Number of sections : 40 > 10
            Source: ACTIVEDS.dll.5.drStatic PE information: Number of sections : 41 > 10
            Source: WTSAPI32.dll.5.drStatic PE information: Number of sections : 41 > 10
            Source: OLEACC.dll1.5.drStatic PE information: Number of sections : 41 > 10
            Source: VERSION.dll.5.drStatic PE information: Number of sections : 41 > 10
            Source: XmlLite.dll1.5.drStatic PE information: Number of sections : 41 > 10
            Source: XmlLite.dll0.5.drStatic PE information: Number of sections : 41 > 10
            Source: XmlLite.dll.5.drStatic PE information: Number of sections : 41 > 10
            Source: OLEACC.dll0.5.drStatic PE information: Number of sections : 41 > 10
            Source: OLEACC.dll.5.drStatic PE information: Number of sections : 41 > 10
            Source: WTSAPI32.dll0.5.drStatic PE information: Number of sections : 41 > 10
            Source: yWteP7e12z.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ACTIVEDS.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SppExtComObj.Exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: VERSION.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll1.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: yWteP7e12z.dllVirustotal: Detection: 64%
            Source: yWteP7e12z.dllReversingLabs: Detection: 77%
            Source: yWteP7e12z.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@49/21@0/0
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D057E20 CoCreateInstance,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8926954 FormatMessageW,GetLastError,WideCharToMultiByte,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeMutant created: \Sessions\1\BaseNamedObjects\{169aafc0-b674-dc63-e06b-2eae4586757b}
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeMutant created: \Sessions\1\BaseNamedObjects\{25f30cca-9195-545a-ce6a-753d20cd2cd4}
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04C9A0 LoadResource,LockResource,SizeofResource,
            Source: SppExtComObj.ExeString found in binary or memory: msSPP-InstallationId
            Source: yWteP7e12z.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: yWteP7e12z.dllStatic file information: File size 2105344 > 1048576
            Source: yWteP7e12z.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
            Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
            Source: Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
            Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
            Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
            Source: Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
            Source: Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
            Source: Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
            Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
            Source: Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
            Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
            Source: Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791478A2E push rax; iretd
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479AB9 push rsi; retf
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF7914791EA push 6826517Ch; retf
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF791479B37 push rcx; ret
            Source: yWteP7e12z.dllStatic PE information: section name: .qkm
            Source: yWteP7e12z.dllStatic PE information: section name: .cvjb
            Source: yWteP7e12z.dllStatic PE information: section name: .tlmkv
            Source: yWteP7e12z.dllStatic PE information: section name: .wucsxe
            Source: yWteP7e12z.dllStatic PE information: section name: .fltwtj
            Source: yWteP7e12z.dllStatic PE information: section name: .sfplio
            Source: yWteP7e12z.dllStatic PE information: section name: .rpg
            Source: yWteP7e12z.dllStatic PE information: section name: .bewzc
            Source: yWteP7e12z.dllStatic PE information: section name: .vksvaw
            Source: yWteP7e12z.dllStatic PE information: section name: .wmhg
            Source: yWteP7e12z.dllStatic PE information: section name: .kswemc
            Source: yWteP7e12z.dllStatic PE information: section name: .kaxfk
            Source: yWteP7e12z.dllStatic PE information: section name: .wualk
            Source: yWteP7e12z.dllStatic PE information: section name: .qwqp
            Source: yWteP7e12z.dllStatic PE information: section name: .txp
            Source: yWteP7e12z.dllStatic PE information: section name: .ezxpm
            Source: yWteP7e12z.dllStatic PE information: section name: .kdkmc
            Source: yWteP7e12z.dllStatic PE information: section name: .vwqjj
            Source: yWteP7e12z.dllStatic PE information: section name: .ute
            Source: yWteP7e12z.dllStatic PE information: section name: .hzotrb
            Source: yWteP7e12z.dllStatic PE information: section name: .mkb
            Source: yWteP7e12z.dllStatic PE information: section name: .plbi
            Source: yWteP7e12z.dllStatic PE information: section name: .dmwl
            Source: yWteP7e12z.dllStatic PE information: section name: .qorltm
            Source: yWteP7e12z.dllStatic PE information: section name: .ubg
            Source: yWteP7e12z.dllStatic PE information: section name: .lhm
            Source: yWteP7e12z.dllStatic PE information: section name: .wojiyd
            Source: yWteP7e12z.dllStatic PE information: section name: .ekv
            Source: yWteP7e12z.dllStatic PE information: section name: .vmf
            Source: yWteP7e12z.dllStatic PE information: section name: .rqv
            Source: yWteP7e12z.dllStatic PE information: section name: .rseab
            Source: yWteP7e12z.dllStatic PE information: section name: .pxtlo
            Source: yWteP7e12z.dllStatic PE information: section name: .nri
            Source: yWteP7e12z.dllStatic PE information: section name: .fcbpa
            Source: raserver.exe.5.drStatic PE information: section name: .didat
            Source: WMPDMC.exe.5.drStatic PE information: section name: .didat
            Source: MusNotifyIcon.exe.5.drStatic PE information: section name: .didat
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll.5.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll.5.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll.5.drStatic PE information: section name: .rpg
            Source: OLEACC.dll.5.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll.5.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll.5.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll.5.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll.5.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll.5.drStatic PE information: section name: .wualk
            Source: OLEACC.dll.5.drStatic PE information: section name: .qwqp
            Source: OLEACC.dll.5.drStatic PE information: section name: .txp
            Source: OLEACC.dll.5.drStatic PE information: section name: .ezxpm
            Source: OLEACC.dll.5.drStatic PE information: section name: .kdkmc
            Source: OLEACC.dll.5.drStatic PE information: section name: .vwqjj
            Source: OLEACC.dll.5.drStatic PE information: section name: .ute
            Source: OLEACC.dll.5.drStatic PE information: section name: .hzotrb
            Source: OLEACC.dll.5.drStatic PE information: section name: .mkb
            Source: OLEACC.dll.5.drStatic PE information: section name: .plbi
            Source: OLEACC.dll.5.drStatic PE information: section name: .dmwl
            Source: OLEACC.dll.5.drStatic PE information: section name: .qorltm
            Source: OLEACC.dll.5.drStatic PE information: section name: .ubg
            Source: OLEACC.dll.5.drStatic PE information: section name: .lhm
            Source: OLEACC.dll.5.drStatic PE information: section name: .wojiyd
            Source: OLEACC.dll.5.drStatic PE information: section name: .ekv
            Source: OLEACC.dll.5.drStatic PE information: section name: .vmf
            Source: OLEACC.dll.5.drStatic PE information: section name: .rqv
            Source: OLEACC.dll.5.drStatic PE information: section name: .rseab
            Source: OLEACC.dll.5.drStatic PE information: section name: .pxtlo
            Source: OLEACC.dll.5.drStatic PE information: section name: .nri
            Source: OLEACC.dll.5.drStatic PE information: section name: .fcbpa
            Source: OLEACC.dll.5.drStatic PE information: section name: .ciqu
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qwqp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .txp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ezxpm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kdkmc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vwqjj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ute
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hzotrb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .mkb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .plbi
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dmwl
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qorltm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ubg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .lhm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wojiyd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ekv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vmf
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rqv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rseab
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .pxtlo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nri
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fcbpa
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wwwa
            Source: XmlLite.dll.5.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.5.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.5.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.5.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.5.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.5.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.5.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.5.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.5.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.5.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.5.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.5.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.5.drStatic PE information: section name: .wualk
            Source: XmlLite.dll.5.drStatic PE information: section name: .qwqp
            Source: XmlLite.dll.5.drStatic PE information: section name: .txp
            Source: XmlLite.dll.5.drStatic PE information: section name: .ezxpm
            Source: XmlLite.dll.5.drStatic PE information: section name: .kdkmc
            Source: XmlLite.dll.5.drStatic PE information: section name: .vwqjj
            Source: XmlLite.dll.5.drStatic PE information: section name: .ute
            Source: XmlLite.dll.5.drStatic PE information: section name: .hzotrb
            Source: XmlLite.dll.5.drStatic PE information: section name: .mkb
            Source: XmlLite.dll.5.drStatic PE information: section name: .plbi
            Source: XmlLite.dll.5.drStatic PE information: section name: .dmwl
            Source: XmlLite.dll.5.drStatic PE information: section name: .qorltm
            Source: XmlLite.dll.5.drStatic PE information: section name: .ubg
            Source: XmlLite.dll.5.drStatic PE information: section name: .lhm
            Source: XmlLite.dll.5.drStatic PE information: section name: .wojiyd
            Source: XmlLite.dll.5.drStatic PE information: section name: .ekv
            Source: XmlLite.dll.5.drStatic PE information: section name: .vmf
            Source: XmlLite.dll.5.drStatic PE information: section name: .rqv
            Source: XmlLite.dll.5.drStatic PE information: section name: .rseab
            Source: XmlLite.dll.5.drStatic PE information: section name: .pxtlo
            Source: XmlLite.dll.5.drStatic PE information: section name: .nri
            Source: XmlLite.dll.5.drStatic PE information: section name: .fcbpa
            Source: XmlLite.dll.5.drStatic PE information: section name: .kwig
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .qkm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .cvjb
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .tlmkv
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wucsxe
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .fltwtj
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .sfplio
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rpg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .bewzc
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .vksvaw
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wmhg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .kswemc
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .kaxfk
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wualk
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .qwqp
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .txp
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ezxpm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .kdkmc
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .vwqjj
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ute
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .hzotrb
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .mkb
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .plbi
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .dmwl
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .qorltm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ubg
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .lhm
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .wojiyd
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .ekv
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .vmf
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rqv
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .rseab
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .pxtlo
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .nri
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .fcbpa
            Source: ACTIVEDS.dll.5.drStatic PE information: section name: .pemb
            Source: SppExtComObj.Exe.5.drStatic PE information: section name: ?g_Encry
            Source: OLEACC.dll0.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll0.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll0.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll0.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll0.5.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll0.5.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll0.5.drStatic PE information: section name: .rpg
            Source: OLEACC.dll0.5.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll0.5.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll0.5.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll0.5.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll0.5.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll0.5.drStatic PE information: section name: .wualk
            Source: OLEACC.dll0.5.drStatic PE information: section name: .qwqp
            Source: OLEACC.dll0.5.drStatic PE information: section name: .txp
            Source: OLEACC.dll0.5.drStatic PE information: section name: .ezxpm
            Source: OLEACC.dll0.5.drStatic PE information: section name: .kdkmc
            Source: OLEACC.dll0.5.drStatic PE information: section name: .vwqjj
            Source: OLEACC.dll0.5.drStatic PE information: section name: .ute
            Source: OLEACC.dll0.5.drStatic PE information: section name: .hzotrb
            Source: OLEACC.dll0.5.drStatic PE information: section name: .mkb
            Source: OLEACC.dll0.5.drStatic PE information: section name: .plbi
            Source: OLEACC.dll0.5.drStatic PE information: section name: .dmwl
            Source: OLEACC.dll0.5.drStatic PE information: section name: .qorltm
            Source: OLEACC.dll0.5.drStatic PE information: section name: .ubg
            Source: OLEACC.dll0.5.drStatic PE information: section name: .lhm
            Source: OLEACC.dll0.5.drStatic PE information: section name: .wojiyd
            Source: OLEACC.dll0.5.drStatic PE information: section name: .ekv
            Source: OLEACC.dll0.5.drStatic PE information: section name: .vmf
            Source: OLEACC.dll0.5.drStatic PE information: section name: .rqv
            Source: OLEACC.dll0.5.drStatic PE information: section name: .rseab
            Source: OLEACC.dll0.5.drStatic PE information: section name: .pxtlo
            Source: OLEACC.dll0.5.drStatic PE information: section name: .nri
            Source: OLEACC.dll0.5.drStatic PE information: section name: .fcbpa
            Source: OLEACC.dll0.5.drStatic PE information: section name: .kmhbw
            Source: VERSION.dll.5.drStatic PE information: section name: .qkm
            Source: VERSION.dll.5.drStatic PE information: section name: .cvjb
            Source: VERSION.dll.5.drStatic PE information: section name: .tlmkv
            Source: VERSION.dll.5.drStatic PE information: section name: .wucsxe
            Source: VERSION.dll.5.drStatic PE information: section name: .fltwtj
            Source: VERSION.dll.5.drStatic PE information: section name: .sfplio
            Source: VERSION.dll.5.drStatic PE information: section name: .rpg
            Source: VERSION.dll.5.drStatic PE information: section name: .bewzc
            Source: VERSION.dll.5.drStatic PE information: section name: .vksvaw
            Source: VERSION.dll.5.drStatic PE information: section name: .wmhg
            Source: VERSION.dll.5.drStatic PE information: section name: .kswemc
            Source: VERSION.dll.5.drStatic PE information: section name: .kaxfk
            Source: VERSION.dll.5.drStatic PE information: section name: .wualk
            Source: VERSION.dll.5.drStatic PE information: section name: .qwqp
            Source: VERSION.dll.5.drStatic PE information: section name: .txp
            Source: VERSION.dll.5.drStatic PE information: section name: .ezxpm
            Source: VERSION.dll.5.drStatic PE information: section name: .kdkmc
            Source: VERSION.dll.5.drStatic PE information: section name: .vwqjj
            Source: VERSION.dll.5.drStatic PE information: section name: .ute
            Source: VERSION.dll.5.drStatic PE information: section name: .hzotrb
            Source: VERSION.dll.5.drStatic PE information: section name: .mkb
            Source: VERSION.dll.5.drStatic PE information: section name: .plbi
            Source: VERSION.dll.5.drStatic PE information: section name: .dmwl
            Source: VERSION.dll.5.drStatic PE information: section name: .qorltm
            Source: VERSION.dll.5.drStatic PE information: section name: .ubg
            Source: VERSION.dll.5.drStatic PE information: section name: .lhm
            Source: VERSION.dll.5.drStatic PE information: section name: .wojiyd
            Source: VERSION.dll.5.drStatic PE information: section name: .ekv
            Source: VERSION.dll.5.drStatic PE information: section name: .vmf
            Source: VERSION.dll.5.drStatic PE information: section name: .rqv
            Source: VERSION.dll.5.drStatic PE information: section name: .rseab
            Source: VERSION.dll.5.drStatic PE information: section name: .pxtlo
            Source: VERSION.dll.5.drStatic PE information: section name: .nri
            Source: VERSION.dll.5.drStatic PE information: section name: .fcbpa
            Source: VERSION.dll.5.drStatic PE information: section name: .oeep
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qwqp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .txp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ezxpm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kdkmc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vwqjj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ute
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hzotrb
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .mkb
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .plbi
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .dmwl
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qorltm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ubg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .lhm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wojiyd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ekv
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vmf
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rqv
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rseab
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .pxtlo
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .nri
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fcbpa
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ugx
            Source: XmlLite.dll0.5.drStatic PE information: section name: .qkm
            Source: XmlLite.dll0.5.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll0.5.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll0.5.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll0.5.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll0.5.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll0.5.drStatic PE information: section name: .rpg
            Source: XmlLite.dll0.5.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll0.5.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll0.5.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll0.5.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll0.5.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll0.5.drStatic PE information: section name: .wualk
            Source: XmlLite.dll0.5.drStatic PE information: section name: .qwqp
            Source: XmlLite.dll0.5.drStatic PE information: section name: .txp
            Source: XmlLite.dll0.5.drStatic PE information: section name: .ezxpm
            Source: XmlLite.dll0.5.drStatic PE information: section name: .kdkmc
            Source: XmlLite.dll0.5.drStatic PE information: section name: .vwqjj
            Source: XmlLite.dll0.5.drStatic PE information: section name: .ute
            Source: XmlLite.dll0.5.drStatic PE information: section name: .hzotrb
            Source: XmlLite.dll0.5.drStatic PE information: section name: .mkb
            Source: XmlLite.dll0.5.drStatic PE information: section name: .plbi
            Source: XmlLite.dll0.5.drStatic PE information: section name: .dmwl
            Source: XmlLite.dll0.5.drStatic PE information: section name: .qorltm
            Source: XmlLite.dll0.5.drStatic PE information: section name: .ubg
            Source: XmlLite.dll0.5.drStatic PE information: section name: .lhm
            Source: XmlLite.dll0.5.drStatic PE information: section name: .wojiyd
            Source: XmlLite.dll0.5.drStatic PE information: section name: .ekv
            Source: XmlLite.dll0.5.drStatic PE information: section name: .vmf
            Source: XmlLite.dll0.5.drStatic PE information: section name: .rqv
            Source: XmlLite.dll0.5.drStatic PE information: section name: .rseab
            Source: XmlLite.dll0.5.drStatic PE information: section name: .pxtlo
            Source: XmlLite.dll0.5.drStatic PE information: section name: .nri
            Source: XmlLite.dll0.5.drStatic PE information: section name: .fcbpa
            Source: XmlLite.dll0.5.drStatic PE information: section name: .htvhcf
            Source: OLEACC.dll1.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll1.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll1.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll1.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll1.5.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll1.5.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll1.5.drStatic PE information: section name: .rpg
            Source: OLEACC.dll1.5.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll1.5.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll1.5.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll1.5.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll1.5.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll1.5.drStatic PE information: section name: .wualk
            Source: OLEACC.dll1.5.drStatic PE information: section name: .qwqp
            Source: OLEACC.dll1.5.drStatic PE information: section name: .txp
            Source: OLEACC.dll1.5.drStatic PE information: section name: .ezxpm
            Source: OLEACC.dll1.5.drStatic PE information: section name: .kdkmc
            Source: OLEACC.dll1.5.drStatic PE information: section name: .vwqjj
            Source: OLEACC.dll1.5.drStatic PE information: section name: .ute
            Source: OLEACC.dll1.5.drStatic PE information: section name: .hzotrb
            Source: OLEACC.dll1.5.drStatic PE information: section name: .mkb
            Source: OLEACC.dll1.5.drStatic PE information: section name: .plbi
            Source: OLEACC.dll1.5.drStatic PE information: section name: .dmwl
            Source: OLEACC.dll1.5.drStatic PE information: section name: .qorltm
            Source: OLEACC.dll1.5.drStatic PE information: section name: .ubg
            Source: OLEACC.dll1.5.drStatic PE information: section name: .lhm
            Source: OLEACC.dll1.5.drStatic PE information: section name: .wojiyd
            Source: OLEACC.dll1.5.drStatic PE information: section name: .ekv
            Source: OLEACC.dll1.5.drStatic PE information: section name: .vmf
            Source: OLEACC.dll1.5.drStatic PE information: section name: .rqv
            Source: OLEACC.dll1.5.drStatic PE information: section name: .rseab
            Source: OLEACC.dll1.5.drStatic PE information: section name: .pxtlo
            Source: OLEACC.dll1.5.drStatic PE information: section name: .nri
            Source: OLEACC.dll1.5.drStatic PE information: section name: .fcbpa
            Source: OLEACC.dll1.5.drStatic PE information: section name: .xtmp
            Source: XmlLite.dll1.5.drStatic PE information: section name: .qkm
            Source: XmlLite.dll1.5.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll1.5.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll1.5.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll1.5.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll1.5.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll1.5.drStatic PE information: section name: .rpg
            Source: XmlLite.dll1.5.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll1.5.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll1.5.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll1.5.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll1.5.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll1.5.drStatic PE information: section name: .wualk
            Source: XmlLite.dll1.5.drStatic PE information: section name: .qwqp
            Source: XmlLite.dll1.5.drStatic PE information: section name: .txp
            Source: XmlLite.dll1.5.drStatic PE information: section name: .ezxpm
            Source: XmlLite.dll1.5.drStatic PE information: section name: .kdkmc
            Source: XmlLite.dll1.5.drStatic PE information: section name: .vwqjj
            Source: XmlLite.dll1.5.drStatic PE information: section name: .ute
            Source: XmlLite.dll1.5.drStatic PE information: section name: .hzotrb
            Source: XmlLite.dll1.5.drStatic PE information: section name: .mkb
            Source: XmlLite.dll1.5.drStatic PE information: section name: .plbi
            Source: XmlLite.dll1.5.drStatic PE information: section name: .dmwl
            Source: XmlLite.dll1.5.drStatic PE information: section name: .qorltm
            Source: XmlLite.dll1.5.drStatic PE information: section name: .ubg
            Source: XmlLite.dll1.5.drStatic PE information: section name: .lhm
            Source: XmlLite.dll1.5.drStatic PE information: section name: .wojiyd
            Source: XmlLite.dll1.5.drStatic PE information: section name: .ekv
            Source: XmlLite.dll1.5.drStatic PE information: section name: .vmf
            Source: XmlLite.dll1.5.drStatic PE information: section name: .rqv
            Source: XmlLite.dll1.5.drStatic PE information: section name: .rseab
            Source: XmlLite.dll1.5.drStatic PE information: section name: .pxtlo
            Source: XmlLite.dll1.5.drStatic PE information: section name: .nri
            Source: XmlLite.dll1.5.drStatic PE information: section name: .fcbpa
            Source: XmlLite.dll1.5.drStatic PE information: section name: .gbpuqn
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E1183E0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,
            Source: yWteP7e12z.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x208f5c
            Source: ACTIVEDS.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20e14e
            Source: WTSAPI32.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2040a8
            Source: OLEACC.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20e541
            Source: VERSION.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2120a4
            Source: XmlLite.dll1.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2053cb
            Source: XmlLite.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20bbcb
            Source: XmlLite.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x209517
            Source: OLEACC.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20a1b8
            Source: OLEACC.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2065b2
            Source: WTSAPI32.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x20419e
            Source: raserver.exe.5.drStatic PE information: 0xEBE25ACA [Sun May 29 04:02:18 2095 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.59477523886
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\yoY8Y\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\yoY8Y\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eQL\raserver.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\S8mrk1\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\eQL\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\92ea6x\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Iz08tEz\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\7YI8zy\sethc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04DE78 IsWindowVisible,ShowWindow,IsZoomed,ShowWindow,SendMessageW,SendMessageW,IsIconic,OpenIcon,IsWindowVisible,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D043078 IsWindowVisible,IsIconic,DwmGetWindowAttribute,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D047800 FindWindowW,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,IsIconic,OpenIcon,SetForegroundWindow,GetLastError,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B617020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 5916Thread sleep count: 40 > 30
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\7YI8zy\sethc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146D314 rdtsc
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,
            Source: explorer.exe, 00000005.00000000.321902451.000000000EEE0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}onsappsD
            Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oogle Chrome.l
            Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}microsoF
            Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA
            Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B616008 OutputDebugStringA,ActivateActCtx,GetLastError,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E1183E0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D05E274 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146D314 rdtsc
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E120B80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E121170 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeCode function: 28_2_00007FF7409832A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeCode function: 28_2_00007FF740983010 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146DD00 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79146DF84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6CACE0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6CA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8933CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D67DA0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D67984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: OLEACC.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Contains functionality to prevent local Windows debuggingShow sources
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6C9860 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: 34_2_00007FF67B6C97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11A9AC AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E11A9AC AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,
            Source: explorer.exe, 00000005.00000000.330726582.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.335309459.0000000005E10000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exeCode function: DisableContainerHwnd,DestroyWindow,DeleteObject,GetModuleHandleW,GetClassInfoExW,memset,GetModuleHandleW,LoadCursorW,GetStockObject,DefWindowProcW,RegisterClassExW,GetModuleHandleW,CreateWindowExW,SetWindowLongPtrW,SetWindowLongPtrW,SendMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SetWindowLongPtrW,GetThreadUILanguage,GetUserDefaultUILanguage,GetLocaleInfoW,GetWindowLongPtrW,SetWindowLongPtrW,CreateGadget,GetLastError,SetGadgetMessageFilter,SetGadgetStyle,GetDC,GetDeviceCaps,ReleaseDC,GetDC,CreateHalftonePalette,ReleaseDC,memset,SetGadgetRootInfo,TlsGetValue,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\eQL\raserver.exeCode function: 26_2_00007FF74E121300 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exeCode function: 19_2_00007FF73D055FF8 PostMessageW,DialogBoxParamW,memset,GetVersionExW,ShellAboutW,GetLastError,InvalidateRect,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8926CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79147B16C RpcStringFreeW,RpcBindingFree,CloseHandle,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79147AF10 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,CreateEventW,GetLastError,RpcAsyncInitializeHandle,WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,memcpy,RpcStringFreeW,RpcBindingFree,CloseHandle,
            Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.ExeCode function: 32_2_00007FF79147B0A2 WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,RpcStringFreeW,RpcBindingFree,CloseHandle,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E89291AC GetUserDefaultLCID,CreateBindCtx,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E8924FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString,
            Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exeCode function: 37_2_00007FF6E892C370 CreateBindCtx,MkParseDisplayName,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D674BE RpcBindingFree,
            Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exeCode function: 41_2_00007FF6E6D67450 NdrClientCall3,RpcBindingFree,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Windows Service1Windows Service1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsProcess Injection412Obfuscated Files or Information3LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsService Execution2Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSystem Information Discovery35Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection412DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492789 Sample: yWteP7e12z Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\ACTIVEDS.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\WMPDMC.exe, PE32+ 19->38 dropped 40 17 other files (3 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 25 WMPDMC.exe 19->25         started        28 SppExtComObj.Exe 19->28         started        30 ddodiag.exe 19->30         started        32 13 other processes 19->32 signatures8 process9 signatures10 52 Contains functionality to prevent local Windows debugging 25->52

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            yWteP7e12z.dll64%VirustotalBrowse
            yWteP7e12z.dll78%ReversingLabsWin64.Infostealer.Dridex
            yWteP7e12z.dll100%AviraTR/Crypt.ZPACK.Gen
            yWteP7e12z.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe0%ReversingLabs
            C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe0%ReversingLabs
            C:\Users\user\AppData\Local\7YI8zy\sethc.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\7YI8zy\sethc.exe0%ReversingLabs
            C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.WMPDMC.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            32.2.SppExtComObj.Exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            28.2.ddodiag.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            19.2.SnippingTool.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            26.2.raserver.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            41.2.BdeUISrv.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            8.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            37.2.wscript.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492789
            Start date:29.09.2021
            Start time:01:30:21
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 16m 58s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:yWteP7e12z (renamed file extension from none to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:41
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winDLL@49/21@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 25.6% (good quality ratio 19.6%)
            • Quality average: 55.9%
            • Quality standard deviation: 39.2%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Override analysis time to 240s for rundll32
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.183, 20.54.110.249, 23.0.174.185, 23.0.174.200, 20.199.120.151, 20.199.120.182, 23.10.249.43, 23.10.249.26, 40.112.88.60, 20.82.210.154, 20.50.102.62, 204.79.197.200, 13.107.21.200
            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):348248
            Entropy (8bit):4.476463179941575
            Encrypted:false
            SSDEEP:3072:h+3PxWVjjy9Vya+bgdI/uQmyDbT/j0MQXOAfib98:h+5WVje+UdI/uQmyDbDWOAfH
            MD5:56EB45AF6E8DAC3DE13BFBDDD23471FD
            SHA1:B6CD69E22DF2AC6220DDE6BD5B96D0333C81664E
            SHA-256:96C7678DFB92B3666D5A41BB251EE21DF24D7C3F32E0115BB302438F364DFA7D
            SHA-512:4062829F81BF34C25ECDE96D46BC55A9CB40E3D0B78E73C07245DCCE42B7F60EE169A8545518F758E52215E9ABA3E62BEC02E7D4F5B5AE79DA690518920E974B
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R...R...R...[.......=..Q...=..E...R.......=..C...=..E...=..]...=.r.S...=..S...RichR...........................PE..d...R............."......P.....................@....................................).....`.......... ..........................................H.......H....P..@...."..X....p......P...T............................d...............e..`............................text...<N.......P.................. ..`.rdata..T....`.......T..............@..@.data...(....@.......&..............@....pdata..@....P.......(..............@..@.didat.......p.......:..............@....rsrc...H............<..............@..@.reloc.......p....... ..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.576077189317853
            Encrypted:false
            SSDEEP:12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:8D382555F4058C485E44A6F1746DF8AE
            SHA1:CA1DD960D00123E12458CE1E1C56B9DB7E06623E
            SHA-256:E266F25DE43726B4AEDFEF41B4561CA93156A5DB9FDE2EE68E2A9790DBF93A7F
            SHA-512:361C29520A7B22149F1F7D24831C06BA90514381F53918B4FB4F74FA8A8E456BAF216F6DE4F7538C7ECC21038A449C2419A4301B6551216AB593C1ED69F5C7AC
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):52736
            Entropy (8bit):5.7946530792580475
            Encrypted:false
            SSDEEP:768:NS51B2sZMD1mYu/Lr7p0dHkf9abpWnGjTopPjZdWC2bNrHuOKAh/4J99j4ktPUww:J/Yn/Lr7qwYb7/oRjeJh2991t8Yte
            MD5:25D86BC656025F38D6E626B606F1D39D
            SHA1:673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D
            SHA-256:202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
            SHA-512:D4B4BC411B122499E611E1F9A45FD40EC2ABA23354F261D4668BF0578D30AEC5419568489261FC773ABBB350CC77C1E00F8E7C0B135A1FD4A9B6500825FA6E06
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..hw.;w.;w.;~.";u.;...:t.;...:`.;...:q.;...:d.;w.;..;...:..;..N;v.;...:v.;Richw.;................PE..d...X............."......v...\......0y.........@............................. ......Db....`.......... ......................................p...................................x......T............................................................................text...At.......v.................. ..`.rdata...3.......4...z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.583353111174115
            Encrypted:false
            SSDEEP:12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:860C08B5CFEB671CA94A0CEC612CA670
            SHA1:584648309587E969A66C78F2DB9E995BA138DB1A
            SHA-256:C1C3B44B2E6EE00A256E4B6ECDFF26E4EE3C6F89C5B88026EA2C929D95CD0719
            SHA-512:AD81404B4AEE0F8C268D87ED57DC7A8093E87C9DF454CDC324DD3432DC9E6125FF9ED376ECA36C456AAF0B7FA81A077E9AB86BA0698CF8A396844619861650DD
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.5783451393964993
            Encrypted:false
            SSDEEP:12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:B882DA1C973F306CE92DF7B397F79477
            SHA1:D3A451F40911018FD3FB3827CBC794A91D50C0BF
            SHA-256:BDC8B5C0E124749EFD29F926C5DEB99D4D6111E37C290354EB69BBD43891BE43
            SHA-512:59381D442B6D01629468C9DEE364976C73AF67162C03F112835E50FB3C5A3652E17325BF79FD5DA50D8E8231B8C6208010D1DD4398935884D78C67243F0C3D7D
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\7YI8zy\sethc.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):284160
            Entropy (8bit):6.85709982153028
            Encrypted:false
            SSDEEP:6144:z1dgUn5C1AlGr66uFz2LJGRg4kLNnei36cw:XiKFCdUc
            MD5:1C0BF0B710016600C9D9F23CC7103C0A
            SHA1:EFA944D43F76AEA0C72A5C7FB3240ADC55E7DAE8
            SHA-256:AEA110EE0865635EE764B1B40409DB3A3165E57EFFF4CAF942BCD8982F3063C5
            SHA-512:775F075A9D43A887B1AFB000E5E2CBC8EF514C4B1864C694977342307C61173DACC5BA8E5D47002870687B24914B3E6D2D0EB48BF99517822511A8BA2A122515
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r../6q.|6q.|6q.|Y..}5q.|Y..} q.|Y..}1q.|Y..}-q.|6q.|8p.|Y..}$q.|Y.[|7q.|Y..}7q.|Rich6q.|........................PE..d.... ............"............................@..........................................`.......... ......................................P........`..h'...P..................x.......T...........................0...............0................................text............................... ..`.rdata...j.......l..................@..@.data...8....0......................@....pdata.......P.......$..............@..@.rsrc...h'...`...(...,..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\92ea6x\OLEACC.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.578353842294324
            Encrypted:false
            SSDEEP:12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:562B44A22DF95EC9CAB4D5FE434F6B79
            SHA1:B8C66B70032983B0F6767CA39D5ED53BE1090E83
            SHA-256:157395ACD40DFE6078A29173CBEFF6E17E522607CB4D92C9AA9E64A1CFA4616F
            SHA-512:B76402269EB0CED9A0788BEFC131ABBAD97A2BC53DAA0FBACF51AA3D5A745DC56DEB3CD1AF871F4FC03F95781B22A1D6BC40AFAC938AE1327FF3D0EE9BC39F27
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1517568
            Entropy (8bit):6.62150533612437
            Encrypted:false
            SSDEEP:24576:esSffc55l2PlDph6LYq3BRf6Te8+n3wAJF1/Mk+F6uwY6V0qRr8kmHVJZh/u:cct2PpphUlxRn3wAblMk+F6+6S2r8/Hu
            MD5:4085FDA375E50214142BD740559F5835
            SHA1:22D548F1E0F4832AAEE3D983A156FDABD3021DA4
            SHA-256:93F61516B7FD3CE8F1E97F25B760BDF62AE58CC7714B559FEFC2C75AD1130804
            SHA-512:7712F8E551D475A9D2FF3BED9992A2B3D53AB01F61DCB7313320181F9EB6B5B84558CCA45AE95150267128C8B228F806F869157B7F4961755076DD83F02E3BDF
            Malicious:true
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..................-......*......+....../...../.A.....'.X...........,....Rich...................PE..d...D..9.........."................. ..........@..........................................`.......... ............................................... ..x.......l............0...S..`Y..T....................G..(....F..............8G...............................text.............................. ..`.rdata..Pg.......h..................@..@.data...p=...@.......,..............@....pdata..l............D..............@..@.didat..............................@....rsrc...x.... ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Iz08tEz\XmlLite.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.576061001877867
            Encrypted:false
            SSDEEP:12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:4DFE07B3BCAFD9CE65D8C33C35692412
            SHA1:72E62D60652D8B8E0FFAEABE38E85DF7474DE3F0
            SHA-256:601E95E3207C0693E50E0DF68F2D3F4563365D832C22A28F18659B9F30C37DF5
            SHA-512:020BA9DB617F445299631A8A9097AC67014B1FA640209B302A679474AF329CD25887295BCDBBCC1E4DD7DF66D818507232F3AF5879B3BB9DBDDDF6DE1F6B37FE
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):37888
            Entropy (8bit):5.0324146638870335
            Encrypted:false
            SSDEEP:768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
            MD5:3CE911D7C12A2EFA9108514013BD17FE
            SHA1:2F739BD7731932A0BF13A3B8526FC867EC41C63E
            SHA-256:FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
            SHA-512:33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.5769403032587643
            Encrypted:false
            SSDEEP:12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:D76C4636DA44EBABF1FC1E81811471E0
            SHA1:3191D457033E6D791CDBE097A3D1ADC3F7284491
            SHA-256:E06D76E1543A31F7BC71EA29D772368867B8A971C303B5CA10EE224F69D814AE
            SHA-512:8A57090E6156AD7D73CC637E6BDA63F74E896F8A6A53581A2A4D12996AFB49CBE9B27DD18AD2DB2FEE6E9CC1750F81CB1640394BC0C95C88085AFE1AA9CE18D5
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):163840
            Entropy (8bit):5.729539450068024
            Encrypted:false
            SSDEEP:1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
            MD5:9A68ADD12EB50DDE7586782C3EB9FF9C
            SHA1:2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
            SHA-256:62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
            SHA-512:156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\S8mrk1\OLEACC.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.578355139397792
            Encrypted:false
            SSDEEP:12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:D37540715730618EC4C8D8320D14BA1F
            SHA1:61DE879F216BFDFC426752CA83E326632F229203
            SHA-256:828D0A3C802DBDB43DB11772E7AB9432AC794124F5C1766D7B89802A35094B7B
            SHA-512:20ACED35734330011806C82F3523BF15B3E3CB5E2FCBDBA861A9FB4496F6249198AFCBCCA0271E65B3184B555041E122C76D67991E7903FD3F31FF6A3FE9B3A5
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):3292160
            Entropy (8bit):4.311007815185121
            Encrypted:false
            SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
            MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
            SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
            SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
            SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\eQL\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.583321391509454
            Encrypted:false
            SSDEEP:12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:4FBEA39A2FFB22CDAEB407491596D80B
            SHA1:EB0102854221347A1F395685A8B10591F0A7A275
            SHA-256:ABF264AEB0738742100E969CAFC9328B84070A69D87CF920CE1A83628E13D47D
            SHA-512:E72BDBFE7B1CA46C9003AEACC1CB3B2BF766D1F8BD915DC5DEA965A44554F08299816E7E5ECA11D71BF10EBE4C6418126ED1CAD2934DC30279A3B74A75B39247
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\eQL\raserver.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):128000
            Entropy (8bit):5.845576104002147
            Encrypted:false
            SSDEEP:3072:KPtuXlMcmw7mMH/5+fDxE/loYJZFr3kzH:plMcmzMH/5Sy/loYJZFSH
            MD5:DE2022F0B86E33875D8A40B65550CFEB
            SHA1:391DDE6C03A58D0FC0B4BF5AF46BD181584936C2
            SHA-256:95470F8DE7666C026DB37D2A754085BA3832358C422D6218126D293A67B2F60E
            SHA-512:903A9B137715B114D861BED86E4CAEB9772455DA6749E40C0DDA9758DEE5BDDF0DB3FB46B484556DD55162294C97A399105E3C3E8FDFC0D63F9A8967F99EDDAA
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................u.....................3...............Rich..................PE..d....Z............"................. ..........@.............................@.......u....`.......... ......................................p............6...................0..........T...........................0D..............0E..X......@....................text............................... ..`.rdata......0......................@..@.data... ...........................@....pdata..............................@..@.didat..............................@....rsrc....6.......8..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.5780991878185837
            Encrypted:false
            SSDEEP:12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:9E70F06EEB43B7684995C76AFF5E3B6F
            SHA1:3245C9D942678CAA6CC3B3FE91B84B8BBA961B0B
            SHA-256:8BADF14EA6C4EC41342CAB9CA944EA6D1CA4B76E3A65DFA11E94736B78E4E16F
            SHA-512:0FE463B9EDF9E3723E5E738F9D417D9CED2FE8D85BBC4CDA67CFA4FC02FE5835F9DC2CD0F126912343E5D314C2C3F6D4536D66EAD905A3AC827680373A6C4F39
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):577024
            Entropy (8bit):7.365924302927238
            Encrypted:false
            SSDEEP:12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
            MD5:809E11DECADAEBE2454EFEDD620C4769
            SHA1:A121B9FC2010247C65CE8975FE4D88F5E9AC953E
            SHA-256:8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
            SHA-512:F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\yoY8Y\XmlLite.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2109440
            Entropy (8bit):3.576064881611147
            Encrypted:false
            SSDEEP:12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:960BA4F38C3F96CA6C088B732D12F98D
            SHA1:2282B2027E83696813DAE22FA050CBEE25641814
            SHA-256:60843D78DAAA68AB9F7A82D127138C6E67DD47F2CA7C1C47820CAD85FFA4879F
            SHA-512:E709B8EF755F827DC853BDD5DD69FE2863B1918FF9EED50815DC347D71236F8B1292ADFD176E4CE948192B34AECCD6F3BDF3B700ED241F7EDB79F37EE006F42B
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\yoY8Y\ddodiag.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):37888
            Entropy (8bit):5.0324146638870335
            Encrypted:false
            SSDEEP:768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
            MD5:3CE911D7C12A2EFA9108514013BD17FE
            SHA1:2F739BD7731932A0BF13A3B8526FC867EC41C63E
            SHA-256:FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
            SHA-512:33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:dropped
            Size (bytes):4442
            Entropy (8bit):5.464429481363534
            Encrypted:false
            SSDEEP:48:F3sV8UzB4ghZgNEDJN5G/3sV8Uwfg5p+sDw/RsSUZQKrt:F3sV8a26iQm3sV8SWsDOJ0Z
            MD5:F8E3EE8D7E508146B4D4A69987A397E0
            SHA1:117280869E2C01839C86F013FED869887721D73B
            SHA-256:B1C8DC44B2B3A83A1B831665D934AABEA14BE2F52C02D859C9728A1ED3AB64FB
            SHA-512:4835D8A9F18EA4755A5BDCB3D04F315BB9E528F90394CEE9C274F7188A5B59922ACD6088EDE6DA7CCFF9D7611CBF3A4E14AF8FD85D0EFC3F3760866B879BCABB
            Malicious:false
            Reputation:unknown
            Preview: ........................................user.........................................user.....................RSA1................1P...v.........@..|V..3..>.}.&....E. ..G .pd?...l..w.....!.W.}.......c9>T4.:...@....'SI...x.7.e.J......8.p..|....p]. .........................z..O......A\..1..F..:M...F....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....E#^.C.I...^0..rRQ2..................... ...`....#.$.......9. ........0.................X..........p.......X-.....Qx.s......{..@.........6w..N....>3Dp.Q...!.^....K.-q7.......`.....WOp..v$K.R..Y.1..U...cj.r`...^.1|_. X..).:.U^.SF.O=.....P;....w.zz.FV...h.)...0.O.&....i...#..... 6.W~.I.N\q.+.C.....>...S.....Y..].g.t.8.x... }..H..o..gC...9.>T:R....Oa]........,"..M..R%..b.L.....#..!i...5jTIp).$t&+.Ip..Jj...3.B.F.F...gv.o...J...n:..t....E..@........kR.q6...T!.....v ?~..s7.....LW=I.?.Iu!....s..VH....T|+/...t..F.......d.l.f..y.......$...|*...X....l...@..O}....Gi....Y+Z....q.(.5...%...+c.+3f+..

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):3.58956560239292
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:yWteP7e12z.dll
            File size:2105344
            MD5:a75be08d11b5028b6e0fa8be59676599
            SHA1:c47a48e04dc10641df07dba7dbbb73602e6615aa
            SHA256:7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
            SHA512:444d9ddbdbfac48953e01df6ed9376a78de22f6ae5d8155e5325a8482c228f96c099985ac4b9fd2e5447090380e535bdad59f59b7ebfa20578cd2038262a53b8
            SSDEEP:12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x140041070
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:6668be91e2c948b183827f040944057f

            Entrypoint Preview

            Instruction
            dec eax
            xor eax, eax
            dec eax
            add eax, 5Ah
            dec eax
            mov dword ptr [00073D82h], ecx
            dec eax
            lea ecx, dword ptr [FFFFECABh]
            dec eax
            mov dword ptr [00073D7Ch], edx
            dec eax
            add eax, ecx
            dec esp
            mov dword ptr [00073D92h], ecx
            dec esp
            mov dword ptr [00073DA3h], ebp
            dec esp
            mov dword ptr [00073D7Ch], eax
            dec esp
            mov dword ptr [00073D85h], edi
            dec esp
            mov dword ptr [00073D86h], esi
            dec esp
            mov dword ptr [00073D8Fh], esp
            dec eax
            mov ecx, eax
            dec eax
            sub ecx, 5Ah
            dec eax
            mov dword ptr [00073D89h], esi
            dec eax
            test eax, eax
            je 00007FEB80B363DFh
            dec eax
            mov dword ptr [00073D45h], esp
            dec eax
            mov dword ptr [00073D36h], ebp
            dec eax
            mov dword ptr [00073D7Fh], ebx
            dec eax
            mov dword ptr [00073D70h], edi
            dec eax
            test eax, eax
            je 00007FEB80B363BEh
            jmp ecx
            dec eax
            add edi, ecx
            dec eax
            mov dword ptr [FFFFEC37h], ecx
            dec eax
            xor ecx, eax
            jmp ecx
            retn 0008h
            ud2
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ebx
            dec eax
            sub esp, 00000080h
            mov eax, F957B016h
            mov byte ptr [esp+7Fh], 00000037h
            mov edx, dword ptr [esp+78h]
            inc ecx
            mov eax, edx
            inc ecx
            or eax, 5D262B0Ch
            inc esp
            mov dword ptr [esp+78h], eax
            dec eax
            mov dword ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [LNK] VS2012 UPD4 build 61030
            • [ASM] VS2013 UPD2 build 30501
            • [ C ] VS2012 UPD2 build 60315
            • [C++] VS2013 UPD4 build 31101
            • [RES] VS2012 UPD3 build 60610
            • [LNK] VS2017 v15.5.4 build 25834
            • [ C ] VS2017 v15.5.4 build 25834
            • [ASM] VS2010 build 30319
            • [EXP] VS2015 UPD1 build 23506
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD2 build 60315
            • [C++] VS2015 UPD1 build 23506
            • [ C ] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x2010100x9bd.fcbpa
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x420000x64f2c0x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wualk0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qwqp0x1600000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .txp0x1610000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ezxpm0x1620000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kdkmc0x1630000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vwqjj0x1640000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ute0x1650000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hzotrb0x1660000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .mkb0x1670000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .plbi0x1690000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .dmwl0x16a0000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qorltm0x16b0000x1410x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ubg0x16c0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .lhm0x16d0000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wojiyd0x16f0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ekv0x1700000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vmf0x1710000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rqv0x1720000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rseab0x1740000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pxtlo0x1750000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nri0x1bb0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fcbpa0x2010000x9cd0x1000False0.323974609375data4.02720598472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xc00a00x370dataEnglishUnited States
            RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
            SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
            KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
            GDI32.dllCreateBitmapIndirect, GetPolyFillMode
            CRYPT32.dllCertGetCTLContextProperty
            ADVAPI32.dllAddAccessDeniedObjectAce
            SHLWAPI.dllChrCmpIW

            Exports

            NameOrdinalAddress
            BeginBufferedAnimation370x14000e1c4
            BeginBufferedPaint380x140034960
            BeginPanningFeedback50x14000dde8
            BufferedPaintClear390x14003e2a0
            BufferedPaintInit400x140011420
            BufferedPaintRenderAnimation410x140027838
            BufferedPaintSetAlpha420x14003c940
            BufferedPaintStopAllAnimations510x14000d880
            BufferedPaintUnInit520x14000c8e8
            CloseThemeData530x14002b608
            DrawThemeBackground540x1400333ec
            DrawThemeBackgroundEx470x1400377b0
            DrawThemeEdge550x14003fa10
            DrawThemeIcon560x1400182a8
            DrawThemeParentBackground570x14000278c
            DrawThemeParentBackgroundEx580x140013d80
            DrawThemeText590x140013a38
            DrawThemeTextEx700x140005e30
            EnableThemeDialogTexture710x14000d0a0
            EnableTheming870x14001596c
            EndBufferedAnimation880x140001da4
            EndBufferedPaint890x140022970
            EndPanningFeedback60x140007acc
            GetBufferedPaintBits900x140025dbc
            GetBufferedPaintDC910x140009a64
            GetBufferedPaintTargetDC920x1400116c8
            GetBufferedPaintTargetRect930x14000ac90
            GetCurrentThemeName940x14001e7dc
            GetThemeAppProperties950x14000e1e8
            GetThemeBackgroundContentRect960x14003c528
            GetThemeBackgroundExtent970x140016f60
            GetThemeBackgroundRegion980x1400325d0
            GetThemeBitmap990x14000efcc
            GetThemeBool1000x1400253cc
            GetThemeColor1010x14001af54
            GetThemeDocumentationProperty1020x140007628
            GetThemeEnumValue1030x140034af4
            GetThemeFilename1040x14001d0a4
            GetThemeFont1050x14000446c
            GetThemeInt1060x1400243b4
            GetThemeIntList1070x140012d4c
            GetThemeMargins1080x14003ddf0
            GetThemeMetric1090x140031c30
            GetThemePartSize1100x14001aa3c
            GetThemePosition1110x140027f54
            GetThemePropertyOrigin1120x1400207b0
            GetThemeRect1130x14000bb50
            GetThemeStream1140x14001e4bc
            GetThemeString1150x14003f730
            GetThemeSysBool1160x140032c84
            GetThemeSysColor1170x14001a024
            GetThemeSysColorBrush1180x140009020
            GetThemeSysFont1190x1400251f0
            GetThemeSysInt1200x140011e80
            GetThemeSysSize1210x140021080
            GetThemeSysString1220x14002c904
            GetThemeTextExtent1230x1400288cc
            GetThemeTextMetrics1240x14000db14
            GetThemeTransitionDuration1250x1400028b0
            GetWindowTheme1260x14002f9c0
            HitTestThemeBackground1270x1400338b8
            IsAppThemed1280x14001ae64
            IsCompositionActive1290x14002754c
            IsThemeActive1300x14002da10
            IsThemeBackgroundPartiallyTransparent1310x140014d68
            IsThemeDialogTextureEnabled1320x140014cac
            IsThemePartDefined1330x140001c1c
            OpenThemeData1340x14001d6c0
            OpenThemeDataEx610x140021568
            SetThemeAppProperties1350x1400140a4
            SetWindowTheme1360x14001dd7c
            SetWindowThemeAttribute1370x14002b344
            ThemeInitApiHook1380x14001a594
            UpdatePanningFeedback120x140011150

            Version Infos

            DescriptionData
            LegalCopyright Microsoft Corporation. All rights reserv
            InternalNamebitsp
            FileVersion7.5.7600.16385 (win7_rtm.090713-
            CompanyNameMicrosoft Corporati
            ProductNameMicrosoft Windows Operating S
            ProductVersion6.1.7600
            FileDescriptionBackground Intellig
            OriginalFilenamekbdy
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 29, 2021 01:31:13.054862022 CEST5415453192.168.2.38.8.8.8
            Sep 29, 2021 01:31:13.074254036 CEST53541548.8.8.8192.168.2.3
            Sep 29, 2021 01:31:38.226092100 CEST5280653192.168.2.38.8.8.8
            Sep 29, 2021 01:31:38.263222933 CEST53528068.8.8.8192.168.2.3
            Sep 29, 2021 01:31:59.954021931 CEST5391053192.168.2.38.8.8.8
            Sep 29, 2021 01:32:00.020800114 CEST53539108.8.8.8192.168.2.3
            Sep 29, 2021 01:32:00.988364935 CEST6402153192.168.2.38.8.8.8
            Sep 29, 2021 01:32:01.072475910 CEST53640218.8.8.8192.168.2.3
            Sep 29, 2021 01:32:01.635704041 CEST6078453192.168.2.38.8.8.8
            Sep 29, 2021 01:32:01.723259926 CEST53607848.8.8.8192.168.2.3
            Sep 29, 2021 01:32:02.036216021 CEST5114353192.168.2.38.8.8.8
            Sep 29, 2021 01:32:02.052841902 CEST53511438.8.8.8192.168.2.3
            Sep 29, 2021 01:32:02.466451883 CEST5600953192.168.2.38.8.8.8
            Sep 29, 2021 01:32:02.479648113 CEST53560098.8.8.8192.168.2.3
            Sep 29, 2021 01:32:02.879232883 CEST5902653192.168.2.38.8.8.8
            Sep 29, 2021 01:32:02.892606974 CEST53590268.8.8.8192.168.2.3
            Sep 29, 2021 01:32:03.623147011 CEST4957253192.168.2.38.8.8.8
            Sep 29, 2021 01:32:03.706111908 CEST53495728.8.8.8192.168.2.3
            Sep 29, 2021 01:32:04.821763992 CEST6082353192.168.2.38.8.8.8
            Sep 29, 2021 01:32:04.835903883 CEST53608238.8.8.8192.168.2.3
            Sep 29, 2021 01:32:05.557941914 CEST5213053192.168.2.38.8.8.8
            Sep 29, 2021 01:32:05.580034971 CEST53521308.8.8.8192.168.2.3
            Sep 29, 2021 01:32:05.670160055 CEST5510253192.168.2.38.8.8.8
            Sep 29, 2021 01:32:05.684632063 CEST53551028.8.8.8192.168.2.3
            Sep 29, 2021 01:32:06.011302948 CEST5623653192.168.2.38.8.8.8
            Sep 29, 2021 01:32:06.027302027 CEST53562368.8.8.8192.168.2.3
            Sep 29, 2021 01:32:06.614862919 CEST5652753192.168.2.38.8.8.8
            Sep 29, 2021 01:32:06.628751993 CEST53565278.8.8.8192.168.2.3
            Sep 29, 2021 01:32:07.293760061 CEST4955953192.168.2.38.8.8.8
            Sep 29, 2021 01:32:07.321690083 CEST53495598.8.8.8192.168.2.3
            Sep 29, 2021 01:32:10.907967091 CEST5265053192.168.2.38.8.8.8
            Sep 29, 2021 01:32:10.935909033 CEST53526508.8.8.8192.168.2.3
            Sep 29, 2021 01:32:13.451327085 CEST6329753192.168.2.38.8.8.8
            Sep 29, 2021 01:32:13.471812010 CEST53632978.8.8.8192.168.2.3
            Sep 29, 2021 01:32:13.584922075 CEST5836153192.168.2.38.8.8.8
            Sep 29, 2021 01:32:13.615865946 CEST53583618.8.8.8192.168.2.3
            Sep 29, 2021 01:32:21.566078901 CEST5361553192.168.2.38.8.8.8
            Sep 29, 2021 01:32:21.581753016 CEST53536158.8.8.8192.168.2.3
            Sep 29, 2021 01:32:39.901835918 CEST5072853192.168.2.38.8.8.8
            Sep 29, 2021 01:32:39.931700945 CEST53507288.8.8.8192.168.2.3
            Sep 29, 2021 01:32:46.614447117 CEST5377753192.168.2.38.8.8.8
            Sep 29, 2021 01:32:46.643491030 CEST53537778.8.8.8192.168.2.3
            Sep 29, 2021 01:33:04.313590050 CEST5710653192.168.2.38.8.8.8
            Sep 29, 2021 01:33:04.331159115 CEST53571068.8.8.8192.168.2.3
            Sep 29, 2021 01:33:29.165997028 CEST6035253192.168.2.38.8.8.8
            Sep 29, 2021 01:33:29.179877043 CEST53603528.8.8.8192.168.2.3
            Sep 29, 2021 01:33:42.497419119 CEST5677353192.168.2.38.8.8.8
            Sep 29, 2021 01:33:42.511296034 CEST53567738.8.8.8192.168.2.3
            Sep 29, 2021 01:33:49.308461905 CEST6098253192.168.2.38.8.8.8
            Sep 29, 2021 01:33:49.324182987 CEST53609828.8.8.8192.168.2.3
            Sep 29, 2021 01:34:00.461139917 CEST5805853192.168.2.38.8.8.8
            Sep 29, 2021 01:34:00.476252079 CEST53580588.8.8.8192.168.2.3
            Sep 29, 2021 01:34:37.127656937 CEST6436753192.168.2.38.8.8.8
            Sep 29, 2021 01:34:37.140685081 CEST53643678.8.8.8192.168.2.3

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6928 Parent PID: 5496

            General

            Start time:01:31:16
            Start date:29/09/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll'
            Imagebase:0x7ff6440f0000
            File size:1136128 bytes
            MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:moderate

            Analysis Process: cmd.exe PID: 4668 Parent PID: 6928

            General

            Start time:01:31:17
            Start date:29/09/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Imagebase:0x7ff786250000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 4536 Parent PID: 6928

            General

            Start time:01:31:17
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
            Imagebase:0x7ff7e9410000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 4528 Parent PID: 4668

            General

            Start time:01:31:17
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
            Imagebase:0x7ff7e9410000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 3352 Parent PID: 4536

            General

            Start time:01:31:19
            Start date:29/09/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 6568 Parent PID: 6928

            General

            Start time:01:31:20
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
            Imagebase:0x7ff7e9410000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 3912 Parent PID: 6928

            General

            Start time:01:31:24
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
            Imagebase:0x7ff7e9410000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: recdisc.exe PID: 6628 Parent PID: 3352

            General

            Start time:01:32:04
            Start date:29/09/2021
            Path:C:\Windows\System32\recdisc.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\recdisc.exe
            Imagebase:0x7ff7400a0000
            File size:192512 bytes
            MD5 hash:D2AEFB37C329E455DC2C17D3AA049666
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: SnippingTool.exe PID: 7044 Parent PID: 3352

            General

            Start time:01:32:04
            Start date:29/09/2021
            Path:C:\Windows\System32\SnippingTool.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SnippingTool.exe
            Imagebase:0x7ff75dea0000
            File size:3292160 bytes
            MD5 hash:9012F9C6AC7F3F99ECDD37E24C9AC3BB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: SnippingTool.exe PID: 6200 Parent PID: 3352

            General

            Start time:01:32:06
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
            Imagebase:0x7ff73d040000
            File size:3292160 bytes
            MD5 hash:9012F9C6AC7F3F99ECDD37E24C9AC3BB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: raserver.exe PID: 3604 Parent PID: 3352

            General

            Start time:01:32:18
            Start date:29/09/2021
            Path:C:\Windows\System32\raserver.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\raserver.exe
            Imagebase:0x7ff7f7510000
            File size:128000 bytes
            MD5 hash:DE2022F0B86E33875D8A40B65550CFEB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: raserver.exe PID: 2992 Parent PID: 3352

            General

            Start time:01:32:19
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\eQL\raserver.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\eQL\raserver.exe
            Imagebase:0x7ff74e110000
            File size:128000 bytes
            MD5 hash:DE2022F0B86E33875D8A40B65550CFEB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: ddodiag.exe PID: 5808 Parent PID: 3352

            General

            Start time:01:32:30
            Start date:29/09/2021
            Path:C:\Windows\System32\ddodiag.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\ddodiag.exe
            Imagebase:0x7ff7da9c0000
            File size:37888 bytes
            MD5 hash:3CE911D7C12A2EFA9108514013BD17FE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: ddodiag.exe PID: 5828 Parent PID: 3352

            General

            Start time:01:32:31
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
            Imagebase:0x7ff740980000
            File size:37888 bytes
            MD5 hash:3CE911D7C12A2EFA9108514013BD17FE
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: dccw.exe PID: 2364 Parent PID: 3352

            General

            Start time:01:32:44
            Start date:29/09/2021
            Path:C:\Windows\System32\dccw.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\dccw.exe
            Imagebase:0x7ff722dc0000
            File size:657920 bytes
            MD5 hash:341515B9556F37E623777D1C377BCFAC
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: SppExtComObj.Exe PID: 6280 Parent PID: 3352

            General

            Start time:01:32:46
            Start date:29/09/2021
            Path:C:\Windows\System32\SppExtComObj.Exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SppExtComObj.Exe
            Imagebase:0x7ff6c3600000
            File size:577024 bytes
            MD5 hash:809E11DECADAEBE2454EFEDD620C4769
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: SppExtComObj.Exe PID: 5620 Parent PID: 3352

            General

            Start time:01:32:47
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
            Imagebase:0x7ff791460000
            File size:577024 bytes
            MD5 hash:809E11DECADAEBE2454EFEDD620C4769
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: WMPDMC.exe PID: 6628 Parent PID: 3352

            General

            Start time:01:32:58
            Start date:29/09/2021
            Path:C:\Windows\System32\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WMPDMC.exe
            Imagebase:0x7ff74b5f0000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: WMPDMC.exe PID: 6480 Parent PID: 3352

            General

            Start time:01:32:59
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
            Imagebase:0x7ff67b5f0000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs

            Analysis Process: wscript.exe PID: 5532 Parent PID: 3352

            General

            Start time:01:33:11
            Start date:29/09/2021
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wscript.exe
            Imagebase:0x7ff70a400000
            File size:163840 bytes
            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: wscript.exe PID: 5012 Parent PID: 3352

            General

            Start time:01:33:12
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
            Imagebase:0x7ff6e8920000
            File size:163840 bytes
            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: BdeUISrv.exe PID: 5368 Parent PID: 3352

            General

            Start time:01:33:23
            Start date:29/09/2021
            Path:C:\Windows\System32\BdeUISrv.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\BdeUISrv.exe
            Imagebase:0x7ff609f50000
            File size:52736 bytes
            MD5 hash:25D86BC656025F38D6E626B606F1D39D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: BdeUISrv.exe PID: 6080 Parent PID: 3352

            General

            Start time:01:33:24
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
            Imagebase:0x7ff6e6d60000
            File size:52736 bytes
            MD5 hash:25D86BC656025F38D6E626B606F1D39D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs

            Disassembly

            Code Analysis

            Reset < >