Windows Analysis Report A2qAaSVuU2

Overview

General Information

Sample Name:	A2qAaSVuU2 (renamed file extension from none to dll)
Analysis ID:	492853
MD5:	f8295446e335b679641637334c99242d
SHA1:	18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256:	96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Contains functionality to automate explorer (e.g. start an application)

Uses Atom Bombing / ProGate to inject into other processes

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries device information via Setup API

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to get notified if a device is plugged in / out

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to launch a program with higher privileges

Binary contains a suspicious time stamp

Contains functionality to read device registry values (via SetupAPI)

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%	Perma Link
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%	Perma Link
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Source: A2qAaSVuU2.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: A2qAaSVuU2.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A0C4 CryptReleaseContext,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,	24_2_00007FF7BC80A0C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80998C GetProcessHeap,HeapFree,CryptReleaseContext,GetProcessHeap,HeapFree,	24_2_00007FF7BC80998C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809A24 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC809A24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80AC28 CryptGetUserKey,GetLastError,CryptDestroyKey,	24_2_00007FF7BC80AC28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8087EC UuidCreate,UuidToStringW,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,RpcStringFreeW,	24_2_00007FF7BC8087EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A198 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC80A198
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8082F0 CryptGenKey,GetLastError,CryptDestroyKey,GetProcessHeap,HeapAlloc,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC8082F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B18290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,	29_2_00007FF618B18290
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325B64 CryptProtectData,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LocalFree,	36_2_00007FF6F2325B64
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325DD8 memset,RegOpenKeyW,RegQueryValueExW,LocalAlloc,RegQueryValueExW,RegCloseKey,LocalFree,CryptUnprotectData,LocalFree,LocalFree,	36_2_00007FF6F2325DD8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF52C CryptProtectData,LocalAlloc,LocalFree,	41_2_00007FF657DAF52C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	41_2_00007FF657DAF8FC

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

Code function: 36_2_00007FF6F23211E0 RegisterTraceGuidsW,CommandLineToArgvW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,LocalAlloc,LocalFree,UnregisterClassW,LocalFree,UnregisterDeviceNotification,GetLastError,FindWindowW,SendMessageW,memset,RegisterClassExW,CreateWindowExW,GetLastError,ShowWindow,memset,RegisterDeviceNotificationW,GetLastError,TranslateMessage,DispatchMessageW,GetMessageW,GetLastError,UnregisterTraceGuids,

36_2_00007FF6F23211E0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7DB29C memset,GetSystemWindowsDirectoryW,GetLastError,memset,GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapFree,memset,GetVolumeInformationW,LoadStringW,GetProcessHeap,HeapFree,

24_2_00007FF7BC7DB29C

Source: SndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmp

String found in binary or memory: http://schemas.micro

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,

24_2_00007FF7BC855C64

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F81424	21_2_00007FF727F81424
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821DAC	24_2_00007FF7BC821DAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8D98	24_2_00007FF7BC7D8D98
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7DE0	24_2_00007FF7BC7D7DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832DE0	24_2_00007FF7BC832DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC846D24	24_2_00007FF7BC846D24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EBD70	24_2_00007FF7BC7EBD70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC842EA8	24_2_00007FF7BC842EA8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC845EB0	24_2_00007FF7BC845EB0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EAEEC	24_2_00007FF7BC7EAEEC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D1E50	24_2_00007FF7BC7D1E50
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81BE40	24_2_00007FF7BC81BE40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816E74	24_2_00007FF7BC816E74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6FC4	24_2_00007FF7BC7F6FC4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC807FD4	24_2_00007FF7BC807FD4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DFF0	24_2_00007FF7BC82DFF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F2FE8	24_2_00007FF7BC7F2FE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6000	24_2_00007FF7BC7D6000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8010	24_2_00007FF7BC7D8010
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819000	24_2_00007FF7BC819000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83EF24	24_2_00007FF7BC83EF24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82EF40	24_2_00007FF7BC82EF40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830F40	24_2_00007FF7BC830F40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E0F74	24_2_00007FF7BC7E0F74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FC0A0	24_2_00007FF7BC7FC0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EE0A0	24_2_00007FF7BC7EE0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83D0C0	24_2_00007FF7BC83D0C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EF0F0	24_2_00007FF7BC7EF0F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8260E0	24_2_00007FF7BC8260E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83E104	24_2_00007FF7BC83E104
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F020	24_2_00007FF7BC84F020
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7058	24_2_00007FF7BC7D7058
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC802074	24_2_00007FF7BC802074
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A080	24_2_00007FF7BC84A080
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E19A0	24_2_00007FF7BC7E19A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8409B0	24_2_00007FF7BC8409B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8009C4	24_2_00007FF7BC8009C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FF9F0	24_2_00007FF7BC7FF9F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E89F0	24_2_00007FF7BC7E89F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7A00	24_2_00007FF7BC7D7A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FE9FC	24_2_00007FF7BC7FE9FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DCA0C	24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC827A00	24_2_00007FF7BC827A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F8980	24_2_00007FF7BC7F8980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC823980	24_2_00007FF7BC823980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D9AB4	24_2_00007FF7BC7D9AB4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84FA9C	24_2_00007FF7BC84FA9C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E9AE0	24_2_00007FF7BC7E9AE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ECAF0	24_2_00007FF7BC7ECAF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC837B10	24_2_00007FF7BC837B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831B10	24_2_00007FF7BC831B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834B14	24_2_00007FF7BC834B14
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813A30	24_2_00007FF7BC813A30
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F3A1C	24_2_00007FF7BC7F3A1C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DA40	24_2_00007FF7BC82DA40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC838A90	24_2_00007FF7BC838A90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84DBA0	24_2_00007FF7BC84DBA0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6BDC	24_2_00007FF7BC7D6BDC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC833C08	24_2_00007FF7BC833C08
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F9B24	24_2_00007FF7BC7F9B24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80FB18	24_2_00007FF7BC80FB18
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80BB70	24_2_00007FF7BC80BB70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1CAC	24_2_00007FF7BC7E1CAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DBCE0	24_2_00007FF7BC7DBCE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FFCF0	24_2_00007FF7BC7FFCF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EFC40	24_2_00007FF7BC7EFC40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC829C70	24_2_00007FF7BC829C70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FBC58	24_2_00007FF7BC7FBC58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830C90	24_2_00007FF7BC830C90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC808C80	24_2_00007FF7BC808C80
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E85EC	24_2_00007FF7BC7E85EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831608	24_2_00007FF7BC831608
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC814610	24_2_00007FF7BC814610
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E3530	24_2_00007FF7BC7E3530
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832590	24_2_00007FF7BC832590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC841578	24_2_00007FF7BC841578
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8590	24_2_00007FF7BC7D8590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FA6F4	24_2_00007FF7BC7FA6F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83566C	24_2_00007FF7BC83566C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F7684	24_2_00007FF7BC7F7684
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D568C	24_2_00007FF7BC7D568C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8227A0	24_2_00007FF7BC8227A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DA7C0	24_2_00007FF7BC7DA7C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC847808	24_2_00007FF7BC847808
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A810	24_2_00007FF7BC84A810
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82474C	24_2_00007FF7BC82474C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC801740	24_2_00007FF7BC801740
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FB76C	24_2_00007FF7BC7FB76C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82F790	24_2_00007FF7BC82F790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8790	24_2_00007FF7BC7D8790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80B77C	24_2_00007FF7BC80B77C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83F780	24_2_00007FF7BC83F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F780	24_2_00007FF7BC84F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82089C	24_2_00007FF7BC82089C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8398E0	24_2_00007FF7BC8398E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8491D0	24_2_00007FF7BC8491D0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E1D8	24_2_00007FF7BC80E1D8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E720C	24_2_00007FF7BC7E720C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC836200	24_2_00007FF7BC836200
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81012C	24_2_00007FF7BC81012C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1130	24_2_00007FF7BC7E1130
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC839170	24_2_00007FF7BC839170
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC857160	24_2_00007FF7BC857160
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84517C	24_2_00007FF7BC84517C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DB29C	24_2_00007FF7BC7DB29C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834298	24_2_00007FF7BC834298
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D52AC	24_2_00007FF7BC7D52AC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8442D4	24_2_00007FF7BC8442D4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DD2E0	24_2_00007FF7BC7DD2E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8282F0	24_2_00007FF7BC8282F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8012EC	24_2_00007FF7BC8012EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F224C	24_2_00007FF7BC7F224C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813270	24_2_00007FF7BC813270
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809264	24_2_00007FF7BC809264
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ED290	24_2_00007FF7BC7ED290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84340C	24_2_00007FF7BC84340C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821320	24_2_00007FF7BC821320
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DF378	24_2_00007FF7BC7DF378
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8384A4	24_2_00007FF7BC8384A4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82A4E0	24_2_00007FF7BC82A4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82E4E0	24_2_00007FF7BC82E4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83B510	24_2_00007FF7BC83B510
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DC430	24_2_00007FF7BC7DC430
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80343C	24_2_00007FF7BC80343C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4454	24_2_00007FF7BC7F4454
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B019F0	29_2_00007FF618B019F0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA9EC	29_2_00007FF618AFA9EC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD9E4	29_2_00007FF618AFD9E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF71D8	29_2_00007FF618AF71D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB5C0	29_2_00007FF618AFB5C0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC5B8	29_2_00007FF618AFC5B8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCE18	29_2_00007FF618AFCE18
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0E5DC	29_2_00007FF618B0E5DC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04208	29_2_00007FF618B04208
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B109E8	29_2_00007FF618B109E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF61FC	29_2_00007FF618AF61FC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03570	29_2_00007FF618B03570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0ED88	29_2_00007FF618B0ED88
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B169A8	29_2_00007FF618B169A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0CDA8	29_2_00007FF618B0CDA8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A16C	29_2_00007FF618B0A16C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C570	29_2_00007FF618B0C570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD6E4	29_2_00007FF618AFD6E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07EE0	29_2_00007FF618B07EE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C318	29_2_00007FF618B0C318
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBEC4	29_2_00007FF618AFBEC4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BEB8	29_2_00007FF618B0BEB8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A6C8	29_2_00007FF618B0A6C8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B02720	29_2_00007FF618B02720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07720	29_2_00007FF618B07720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B186D8	29_2_00007FF618B186D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA26C	29_2_00007FF618AFA26C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11688	29_2_00007FF618B11688
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC25C	29_2_00007FF618AFC25C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF67F4	29_2_00007FF618AF67F4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD3E8	29_2_00007FF618AFD3E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9FE8	29_2_00007FF618AF9FE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCBE4	29_2_00007FF618AFCBE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0AC0C	29_2_00007FF618B0AC0C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B007D8	29_2_00007FF618B007D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B05C2C	29_2_00007FF618B05C2C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B08BCC	29_2_00007FF618B08BCC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB80C	29_2_00007FF618AFB80C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B083E0	29_2_00007FF618B083E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBB68	29_2_00007FF618AFBB68
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF4760	29_2_00007FF618AF4760
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360	29_2_00007FF618AFF360
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06754	29_2_00007FF618B06754
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BBAC	29_2_00007FF618B0BBAC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1C3B4	29_2_00007FF618B1C3B4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F33C	29_2_00007FF618B0F33C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B047A8	29_2_00007FF618B047A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB38C	29_2_00007FF618AFB38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE38C	29_2_00007FF618AFE38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06B7C	29_2_00007FF618B06B7C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFECE8	29_2_00007FF618AFECE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFDCE4	29_2_00007FF618AFDCE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03CE0	29_2_00007FF618B03CE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B044C4	29_2_00007FF618B044C4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11130	29_2_00007FF618B11130
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9D28	29_2_00007FF618AF9D28
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F8CC	29_2_00007FF618B0F8CC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC908	29_2_00007FF618AFC908
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B01100	29_2_00007FF618B01100
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFACFC	29_2_00007FF618AFACFC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06048	29_2_00007FF618B06048
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE040	29_2_00007FF618AFE040
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB03C	29_2_00007FF618AFB03C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11CB0	29_2_00007FF618B11CB0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0944C	29_2_00007FF618B0944C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1044C	29_2_00007FF618B1044C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0D054	29_2_00007FF618B0D054
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04C80	29_2_00007FF618B04C80
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A070	29_2_00007FF618B0A070
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B03A0	34_2_00007FF74A7B03A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B2BD8	34_2_00007FF74A7B2BD8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B3718	34_2_00007FF74A7B3718
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B0CA8	34_2_00007FF74A7B0CA8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BC4D0	34_2_00007FF74A7BC4D0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A44E8	34_2_00007FF74A7A44E8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3514	34_2_00007FF74A7A3514
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3080	34_2_00007FF74A7A3080
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BB088	34_2_00007FF74A7BB088
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA1A0	34_2_00007FF74A7AA1A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8	34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A8310	34_2_00007FF74A7A8310
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B4F10	34_2_00007FF74A7B4F10
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A6218	34_2_00007FF74A7A6218
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2321B80	36_2_00007FF6F2321B80
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2324600	36_2_00007FF6F2324600
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2328BC8	36_2_00007FF6F2328BC8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2322CD0	36_2_00007FF6F2322CD0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23241D8	36_2_00007FF6F23241D8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23211E0	36_2_00007FF6F23211E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D464DC	41_2_00007FF657D464DC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D484C0	41_2_00007FF657D484C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4A858	41_2_00007FF657D4A858
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48060	41_2_00007FF657D48060
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D35410	41_2_00007FF657D35410
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D477C0	41_2_00007FF657D477C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D36B94	41_2_00007FF657D36B94
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D74320	41_2_00007FF657D74320
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D512E0	41_2_00007FF657D512E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D34EC4	41_2_00007FF657D34EC4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4EAB4	41_2_00007FF657D4EAB4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DC1690	41_2_00007FF657DC1690
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3DA8C	41_2_00007FF657D3DA8C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4CE08	41_2_00007FF657D4CE08
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D435EC	41_2_00007FF657D435EC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48DF0	41_2_00007FF657D48DF0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0	41_2_00007FF657D439A0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC81CA8C appears 41 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7DE9C4 appears 36 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC80D0A8 appears 57 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3D44 appears 916 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3B08 appears 48 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlFreeHeap,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A090 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,	24_2_00007FF7BC81A090
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A9C8 memset,CreateFileW,NtClose,	24_2_00007FF7BC81A9C8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A984 NtReadFile,	24_2_00007FF7BC81A984
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FlushFileBuffers,GetLastError,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,	24_2_00007FF7BC855C64
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81C56C NtQuerySystemInformation,	24_2_00007FF7BC81C56C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C memset,memset,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapAlloc,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetEvent,NtPowerInformation,PowerCreateRequest,PowerSetRequest,PowerSetRequest,SetThreadExecutionState,memset,GetSystemWindowsDirectoryW,GetLastError,SetThreadExecutionState,PowerClearRequest,CloseHandle,SetEvent,GetProcessHeap,HeapFree,	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0 memset,RtlGetVersion,GetCurrentProcess,SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationThread,NtSetInformationProcess,NtSetInformationThread,	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350 memset,memset,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetLastError,SetLastError,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,UuidCreate,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A38C GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,	24_2_00007FF7BC81A38C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80FE20: SetLastError,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetProcessHeap,HeapFree,SetLastError,

24_2_00007FF7BC80FE20

PE file contains strange resources

Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: windows.globalization.dll

Jump to behavior

PE file contains more sections than normal

Source: A2qAaSVuU2.dll	Static PE information: Number of sections : 58 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 59 > 10
Source: Secur32.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: ReAgent.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: WINSTA.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: OLEACC.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 59 > 10

Source: A2qAaSVuU2.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ReAgent.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Source: A2qAaSVuU2.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81CBF0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81CBF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816644 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AdjustTokenPrivileges,SetThreadToken,CloseHandle,CloseHandle,	24_2_00007FF7BC816644
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC811900 AdjustTokenPrivileges,GetLastError,CloseHandle,	24_2_00007FF7BC811900
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B16588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,	29_2_00007FF618B16588

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@40/17@1/0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F81424 GetCommandLineW,CommandLineToArgvW,_wcsicmp,_wcsicmp,CoInitialize,CoCreateInstance,memset,RegGetValueW,_wcsicmp,GetModuleHandleW,GetModuleHandleW,LoadStringW,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,new,free,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,?Destroy@Element@DirectUI@@QEAAJ_N@Z,

21_2_00007FF727F81424

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855070 FormatMessageW,GetLastError,LocalFree,SysFreeString,LeaveCriticalSection,

24_2_00007FF7BC855070

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{79834223-9b8b-fb74-ddfa-b0860ef73558}
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{e1b7b966-7536-5d87-307b-f7b104c280aa}

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82128 LoadResource,LockResource,SizeofResource,

21_2_00007FF727F82128

Source: A2qAaSVuU2.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: A2qAaSVuU2.dll

Static file information: File size 2232320 > 1048576

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: A2qAaSVuU2.dll	Static PE information: section name: .qkm
Source: A2qAaSVuU2.dll	Static PE information: section name: .cvjb
Source: A2qAaSVuU2.dll	Static PE information: section name: .tlmkv
Source: A2qAaSVuU2.dll	Static PE information: section name: .wucsxe
Source: A2qAaSVuU2.dll	Static PE information: section name: .fltwtj
Source: A2qAaSVuU2.dll	Static PE information: section name: .sfplio
Source: A2qAaSVuU2.dll	Static PE information: section name: .rpg
Source: A2qAaSVuU2.dll	Static PE information: section name: .bewzc
Source: A2qAaSVuU2.dll	Static PE information: section name: .vksvaw
Source: A2qAaSVuU2.dll	Static PE information: section name: .wmhg
Source: A2qAaSVuU2.dll	Static PE information: section name: .kswemc
Source: A2qAaSVuU2.dll	Static PE information: section name: .kaxfk
Source: A2qAaSVuU2.dll	Static PE information: section name: .wualk
Source: A2qAaSVuU2.dll	Static PE information: section name: .qdxz
Source: A2qAaSVuU2.dll	Static PE information: section name: .rkyg
Source: A2qAaSVuU2.dll	Static PE information: section name: .psul
Source: A2qAaSVuU2.dll	Static PE information: section name: .pyjm
Source: A2qAaSVuU2.dll	Static PE information: section name: .eoadme
Source: A2qAaSVuU2.dll	Static PE information: section name: .fnz
Source: A2qAaSVuU2.dll	Static PE information: section name: .gwheg
Source: A2qAaSVuU2.dll	Static PE information: section name: .fcd
Source: A2qAaSVuU2.dll	Static PE information: section name: .dwk
Source: A2qAaSVuU2.dll	Static PE information: section name: .hgy
Source: A2qAaSVuU2.dll	Static PE information: section name: .nfm
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmfqd
Source: A2qAaSVuU2.dll	Static PE information: section name: .buzyfh
Source: A2qAaSVuU2.dll	Static PE information: section name: .towo
Source: A2qAaSVuU2.dll	Static PE information: section name: .omwdbg
Source: A2qAaSVuU2.dll	Static PE information: section name: .virw
Source: A2qAaSVuU2.dll	Static PE information: section name: .bck
Source: A2qAaSVuU2.dll	Static PE information: section name: .mbhfb
Source: A2qAaSVuU2.dll	Static PE information: section name: .kix
Source: A2qAaSVuU2.dll	Static PE information: section name: .gurzs
Source: A2qAaSVuU2.dll	Static PE information: section name: .dzdoj
Source: A2qAaSVuU2.dll	Static PE information: section name: .egret
Source: A2qAaSVuU2.dll	Static PE information: section name: .ftpyc
Source: A2qAaSVuU2.dll	Static PE information: section name: .qrc
Source: A2qAaSVuU2.dll	Static PE information: section name: .tnnx
Source: A2qAaSVuU2.dll	Static PE information: section name: .vsjhk
Source: A2qAaSVuU2.dll	Static PE information: section name: .fmswwe
Source: A2qAaSVuU2.dll	Static PE information: section name: .zfhn
Source: A2qAaSVuU2.dll	Static PE information: section name: .ejdgrp
Source: A2qAaSVuU2.dll	Static PE information: section name: .soyat
Source: A2qAaSVuU2.dll	Static PE information: section name: .jlil
Source: A2qAaSVuU2.dll	Static PE information: section name: .bojgf
Source: A2qAaSVuU2.dll	Static PE information: section name: .gvsnik
Source: A2qAaSVuU2.dll	Static PE information: section name: .lsc
Source: A2qAaSVuU2.dll	Static PE information: section name: .uepvem
Source: A2qAaSVuU2.dll	Static PE information: section name: .don
Source: A2qAaSVuU2.dll	Static PE information: section name: .dqju
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmgrql
Source: A2qAaSVuU2.dll	Static PE information: section name: .cjrd
Source: SysResetErr.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: mstsc.exe.4.dr	Static PE information: section name: .didat
Source: DisplaySwitch.exe.4.dr	Static PE information: section name: .imrsiv
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .wualk
Source: DUI70.dll.4.dr	Static PE information: section name: .qdxz
Source: DUI70.dll.4.dr	Static PE information: section name: .rkyg
Source: DUI70.dll.4.dr	Static PE information: section name: .psul
Source: DUI70.dll.4.dr	Static PE information: section name: .pyjm
Source: DUI70.dll.4.dr	Static PE information: section name: .eoadme
Source: DUI70.dll.4.dr	Static PE information: section name: .fnz
Source: DUI70.dll.4.dr	Static PE information: section name: .gwheg
Source: DUI70.dll.4.dr	Static PE information: section name: .fcd
Source: DUI70.dll.4.dr	Static PE information: section name: .dwk
Source: DUI70.dll.4.dr	Static PE information: section name: .hgy
Source: DUI70.dll.4.dr	Static PE information: section name: .nfm
Source: DUI70.dll.4.dr	Static PE information: section name: .qmfqd
Source: DUI70.dll.4.dr	Static PE information: section name: .buzyfh
Source: DUI70.dll.4.dr	Static PE information: section name: .towo
Source: DUI70.dll.4.dr	Static PE information: section name: .omwdbg
Source: DUI70.dll.4.dr	Static PE information: section name: .virw
Source: DUI70.dll.4.dr	Static PE information: section name: .bck
Source: DUI70.dll.4.dr	Static PE information: section name: .mbhfb
Source: DUI70.dll.4.dr	Static PE information: section name: .kix
Source: DUI70.dll.4.dr	Static PE information: section name: .gurzs
Source: DUI70.dll.4.dr	Static PE information: section name: .dzdoj
Source: DUI70.dll.4.dr	Static PE information: section name: .egret
Source: DUI70.dll.4.dr	Static PE information: section name: .ftpyc
Source: DUI70.dll.4.dr	Static PE information: section name: .qrc
Source: DUI70.dll.4.dr	Static PE information: section name: .tnnx
Source: DUI70.dll.4.dr	Static PE information: section name: .vsjhk
Source: DUI70.dll.4.dr	Static PE information: section name: .fmswwe
Source: DUI70.dll.4.dr	Static PE information: section name: .zfhn
Source: DUI70.dll.4.dr	Static PE information: section name: .ejdgrp
Source: DUI70.dll.4.dr	Static PE information: section name: .soyat
Source: DUI70.dll.4.dr	Static PE information: section name: .jlil
Source: DUI70.dll.4.dr	Static PE information: section name: .bojgf
Source: DUI70.dll.4.dr	Static PE information: section name: .gvsnik
Source: DUI70.dll.4.dr	Static PE information: section name: .lsc
Source: DUI70.dll.4.dr	Static PE information: section name: .uepvem
Source: DUI70.dll.4.dr	Static PE information: section name: .don
Source: DUI70.dll.4.dr	Static PE information: section name: .dqju
Source: DUI70.dll.4.dr	Static PE information: section name: .qmgrql
Source: DUI70.dll.4.dr	Static PE information: section name: .cjrd
Source: DUI70.dll.4.dr	Static PE information: section name: .qnro
Source: ReAgent.dll.4.dr	Static PE information: section name: .qkm
Source: ReAgent.dll.4.dr	Static PE information: section name: .cvjb
Source: ReAgent.dll.4.dr	Static PE information: section name: .tlmkv
Source: ReAgent.dll.4.dr	Static PE information: section name: .wucsxe
Source: ReAgent.dll.4.dr	Static PE information: section name: .fltwtj
Source: ReAgent.dll.4.dr	Static PE information: section name: .sfplio
Source: ReAgent.dll.4.dr	Static PE information: section name: .rpg
Source: ReAgent.dll.4.dr	Static PE information: section name: .bewzc
Source: ReAgent.dll.4.dr	Static PE information: section name: .vksvaw
Source: ReAgent.dll.4.dr	Static PE information: section name: .wmhg
Source: ReAgent.dll.4.dr	Static PE information: section name: .kswemc
Source: ReAgent.dll.4.dr	Static PE information: section name: .kaxfk
Source: ReAgent.dll.4.dr	Static PE information: section name: .wualk
Source: ReAgent.dll.4.dr	Static PE information: section name: .qdxz
Source: ReAgent.dll.4.dr	Static PE information: section name: .rkyg
Source: ReAgent.dll.4.dr	Static PE information: section name: .psul
Source: ReAgent.dll.4.dr	Static PE information: section name: .pyjm
Source: ReAgent.dll.4.dr	Static PE information: section name: .eoadme
Source: ReAgent.dll.4.dr	Static PE information: section name: .fnz
Source: ReAgent.dll.4.dr	Static PE information: section name: .gwheg
Source: ReAgent.dll.4.dr	Static PE information: section name: .fcd
Source: ReAgent.dll.4.dr	Static PE information: section name: .dwk
Source: ReAgent.dll.4.dr	Static PE information: section name: .hgy
Source: ReAgent.dll.4.dr	Static PE information: section name: .nfm
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmfqd
Source: ReAgent.dll.4.dr	Static PE information: section name: .buzyfh
Source: ReAgent.dll.4.dr	Static PE information: section name: .towo
Source: ReAgent.dll.4.dr	Static PE information: section name: .omwdbg
Source: ReAgent.dll.4.dr	Static PE information: section name: .virw
Source: ReAgent.dll.4.dr	Static PE information: section name: .bck
Source: ReAgent.dll.4.dr	Static PE information: section name: .mbhfb
Source: ReAgent.dll.4.dr	Static PE information: section name: .kix
Source: ReAgent.dll.4.dr	Static PE information: section name: .gurzs
Source: ReAgent.dll.4.dr	Static PE information: section name: .dzdoj
Source: ReAgent.dll.4.dr	Static PE information: section name: .egret
Source: ReAgent.dll.4.dr	Static PE information: section name: .ftpyc
Source: ReAgent.dll.4.dr	Static PE information: section name: .qrc
Source: ReAgent.dll.4.dr	Static PE information: section name: .tnnx
Source: ReAgent.dll.4.dr	Static PE information: section name: .vsjhk
Source: ReAgent.dll.4.dr	Static PE information: section name: .fmswwe
Source: ReAgent.dll.4.dr	Static PE information: section name: .zfhn
Source: ReAgent.dll.4.dr	Static PE information: section name: .ejdgrp
Source: ReAgent.dll.4.dr	Static PE information: section name: .soyat
Source: ReAgent.dll.4.dr	Static PE information: section name: .jlil
Source: ReAgent.dll.4.dr	Static PE information: section name: .bojgf
Source: ReAgent.dll.4.dr	Static PE information: section name: .gvsnik
Source: ReAgent.dll.4.dr	Static PE information: section name: .lsc
Source: ReAgent.dll.4.dr	Static PE information: section name: .uepvem
Source: ReAgent.dll.4.dr	Static PE information: section name: .don
Source: ReAgent.dll.4.dr	Static PE information: section name: .dqju
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmgrql
Source: ReAgent.dll.4.dr	Static PE information: section name: .cjrd
Source: ReAgent.dll.4.dr	Static PE information: section name: .lkgno
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .wualk
Source: XmlLite.dll.4.dr	Static PE information: section name: .qdxz
Source: XmlLite.dll.4.dr	Static PE information: section name: .rkyg
Source: XmlLite.dll.4.dr	Static PE information: section name: .psul
Source: XmlLite.dll.4.dr	Static PE information: section name: .pyjm
Source: XmlLite.dll.4.dr	Static PE information: section name: .eoadme
Source: XmlLite.dll.4.dr	Static PE information: section name: .fnz
Source: XmlLite.dll.4.dr	Static PE information: section name: .gwheg
Source: XmlLite.dll.4.dr	Static PE information: section name: .fcd
Source: XmlLite.dll.4.dr	Static PE information: section name: .dwk
Source: XmlLite.dll.4.dr	Static PE information: section name: .hgy
Source: XmlLite.dll.4.dr	Static PE information: section name: .nfm
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmfqd
Source: XmlLite.dll.4.dr	Static PE information: section name: .buzyfh
Source: XmlLite.dll.4.dr	Static PE information: section name: .towo
Source: XmlLite.dll.4.dr	Static PE information: section name: .omwdbg
Source: XmlLite.dll.4.dr	Static PE information: section name: .virw
Source: XmlLite.dll.4.dr	Static PE information: section name: .bck
Source: XmlLite.dll.4.dr	Static PE information: section name: .mbhfb
Source: XmlLite.dll.4.dr	Static PE information: section name: .kix
Source: XmlLite.dll.4.dr	Static PE information: section name: .gurzs
Source: XmlLite.dll.4.dr	Static PE information: section name: .dzdoj
Source: XmlLite.dll.4.dr	Static PE information: section name: .egret
Source: XmlLite.dll.4.dr	Static PE information: section name: .ftpyc
Source: XmlLite.dll.4.dr	Static PE information: section name: .qrc
Source: XmlLite.dll.4.dr	Static PE information: section name: .tnnx
Source: XmlLite.dll.4.dr	Static PE information: section name: .vsjhk
Source: XmlLite.dll.4.dr	Static PE information: section name: .fmswwe
Source: XmlLite.dll.4.dr	Static PE information: section name: .zfhn
Source: XmlLite.dll.4.dr	Static PE information: section name: .ejdgrp
Source: XmlLite.dll.4.dr	Static PE information: section name: .soyat
Source: XmlLite.dll.4.dr	Static PE information: section name: .jlil
Source: XmlLite.dll.4.dr	Static PE information: section name: .bojgf
Source: XmlLite.dll.4.dr	Static PE information: section name: .gvsnik
Source: XmlLite.dll.4.dr	Static PE information: section name: .lsc
Source: XmlLite.dll.4.dr	Static PE information: section name: .uepvem
Source: XmlLite.dll.4.dr	Static PE information: section name: .don
Source: XmlLite.dll.4.dr	Static PE information: section name: .dqju
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmgrql
Source: XmlLite.dll.4.dr	Static PE information: section name: .cjrd
Source: XmlLite.dll.4.dr	Static PE information: section name: .rntf
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll.4.dr	Static PE information: section name: .don
Source: UxTheme.dll.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll.4.dr	Static PE information: section name: .voxunw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll0.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll0.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll0.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll0.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll0.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll0.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll0.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll0.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll0.4.dr	Static PE information: section name: .don
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .alzpqi
Source: Secur32.dll.4.dr	Static PE information: section name: .qkm
Source: Secur32.dll.4.dr	Static PE information: section name: .cvjb
Source: Secur32.dll.4.dr	Static PE information: section name: .tlmkv
Source: Secur32.dll.4.dr	Static PE information: section name: .wucsxe
Source: Secur32.dll.4.dr	Static PE information: section name: .fltwtj
Source: Secur32.dll.4.dr	Static PE information: section name: .sfplio
Source: Secur32.dll.4.dr	Static PE information: section name: .rpg
Source: Secur32.dll.4.dr	Static PE information: section name: .bewzc
Source: Secur32.dll.4.dr	Static PE information: section name: .vksvaw
Source: Secur32.dll.4.dr	Static PE information: section name: .wmhg
Source: Secur32.dll.4.dr	Static PE information: section name: .kswemc
Source: Secur32.dll.4.dr	Static PE information: section name: .kaxfk
Source: Secur32.dll.4.dr	Static PE information: section name: .wualk
Source: Secur32.dll.4.dr	Static PE information: section name: .qdxz
Source: Secur32.dll.4.dr	Static PE information: section name: .rkyg
Source: Secur32.dll.4.dr	Static PE information: section name: .psul
Source: Secur32.dll.4.dr	Static PE information: section name: .pyjm
Source: Secur32.dll.4.dr	Static PE information: section name: .eoadme
Source: Secur32.dll.4.dr	Static PE information: section name: .fnz
Source: Secur32.dll.4.dr	Static PE information: section name: .gwheg
Source: Secur32.dll.4.dr	Static PE information: section name: .fcd
Source: Secur32.dll.4.dr	Static PE information: section name: .dwk
Source: Secur32.dll.4.dr	Static PE information: section name: .hgy
Source: Secur32.dll.4.dr	Static PE information: section name: .nfm
Source: Secur32.dll.4.dr	Static PE information: section name: .qmfqd
Source: Secur32.dll.4.dr	Static PE information: section name: .buzyfh
Source: Secur32.dll.4.dr	Static PE information: section name: .towo
Source: Secur32.dll.4.dr	Static PE information: section name: .omwdbg
Source: Secur32.dll.4.dr	Static PE information: section name: .virw
Source: Secur32.dll.4.dr	Static PE information: section name: .bck
Source: Secur32.dll.4.dr	Static PE information: section name: .mbhfb
Source: Secur32.dll.4.dr	Static PE information: section name: .kix
Source: Secur32.dll.4.dr	Static PE information: section name: .gurzs
Source: Secur32.dll.4.dr	Static PE information: section name: .dzdoj
Source: Secur32.dll.4.dr	Static PE information: section name: .egret
Source: Secur32.dll.4.dr	Static PE information: section name: .ftpyc
Source: Secur32.dll.4.dr	Static PE information: section name: .qrc
Source: Secur32.dll.4.dr	Static PE information: section name: .tnnx
Source: Secur32.dll.4.dr	Static PE information: section name: .vsjhk
Source: Secur32.dll.4.dr	Static PE information: section name: .fmswwe
Source: Secur32.dll.4.dr	Static PE information: section name: .zfhn
Source: Secur32.dll.4.dr	Static PE information: section name: .ejdgrp
Source: Secur32.dll.4.dr	Static PE information: section name: .soyat
Source: Secur32.dll.4.dr	Static PE information: section name: .jlil
Source: Secur32.dll.4.dr	Static PE information: section name: .bojgf
Source: Secur32.dll.4.dr	Static PE information: section name: .gvsnik
Source: Secur32.dll.4.dr	Static PE information: section name: .lsc
Source: Secur32.dll.4.dr	Static PE information: section name: .uepvem
Source: Secur32.dll.4.dr	Static PE information: section name: .don
Source: Secur32.dll.4.dr	Static PE information: section name: .dqju
Source: Secur32.dll.4.dr	Static PE information: section name: .qmgrql
Source: Secur32.dll.4.dr	Static PE information: section name: .cjrd
Source: Secur32.dll.4.dr	Static PE information: section name: .gfkt
Source: WINSTA.dll.4.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.4.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.4.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.4.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.4.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.4.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.4.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.4.dr	Static PE information: section name: .wualk
Source: WINSTA.dll.4.dr	Static PE information: section name: .qdxz
Source: WINSTA.dll.4.dr	Static PE information: section name: .rkyg
Source: WINSTA.dll.4.dr	Static PE information: section name: .psul
Source: WINSTA.dll.4.dr	Static PE information: section name: .pyjm
Source: WINSTA.dll.4.dr	Static PE information: section name: .eoadme
Source: WINSTA.dll.4.dr	Static PE information: section name: .fnz
Source: WINSTA.dll.4.dr	Static PE information: section name: .gwheg
Source: WINSTA.dll.4.dr	Static PE information: section name: .fcd
Source: WINSTA.dll.4.dr	Static PE information: section name: .dwk
Source: WINSTA.dll.4.dr	Static PE information: section name: .hgy
Source: WINSTA.dll.4.dr	Static PE information: section name: .nfm
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmfqd
Source: WINSTA.dll.4.dr	Static PE information: section name: .buzyfh
Source: WINSTA.dll.4.dr	Static PE information: section name: .towo
Source: WINSTA.dll.4.dr	Static PE information: section name: .omwdbg
Source: WINSTA.dll.4.dr	Static PE information: section name: .virw
Source: WINSTA.dll.4.dr	Static PE information: section name: .bck
Source: WINSTA.dll.4.dr	Static PE information: section name: .mbhfb
Source: WINSTA.dll.4.dr	Static PE information: section name: .kix
Source: WINSTA.dll.4.dr	Static PE information: section name: .gurzs
Source: WINSTA.dll.4.dr	Static PE information: section name: .dzdoj
Source: WINSTA.dll.4.dr	Static PE information: section name: .egret
Source: WINSTA.dll.4.dr	Static PE information: section name: .ftpyc
Source: WINSTA.dll.4.dr	Static PE information: section name: .qrc
Source: WINSTA.dll.4.dr	Static PE information: section name: .tnnx
Source: WINSTA.dll.4.dr	Static PE information: section name: .vsjhk
Source: WINSTA.dll.4.dr	Static PE information: section name: .fmswwe
Source: WINSTA.dll.4.dr	Static PE information: section name: .zfhn
Source: WINSTA.dll.4.dr	Static PE information: section name: .ejdgrp
Source: WINSTA.dll.4.dr	Static PE information: section name: .soyat
Source: WINSTA.dll.4.dr	Static PE information: section name: .jlil
Source: WINSTA.dll.4.dr	Static PE information: section name: .bojgf
Source: WINSTA.dll.4.dr	Static PE information: section name: .gvsnik
Source: WINSTA.dll.4.dr	Static PE information: section name: .lsc
Source: WINSTA.dll.4.dr	Static PE information: section name: .uepvem
Source: WINSTA.dll.4.dr	Static PE information: section name: .don
Source: WINSTA.dll.4.dr	Static PE information: section name: .dqju
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmgrql
Source: WINSTA.dll.4.dr	Static PE information: section name: .cjrd
Source: WINSTA.dll.4.dr	Static PE information: section name: .tfmzf
Source: OLEACC.dll.4.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.4.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.4.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.4.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.4.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.4.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.4.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.4.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.4.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.4.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.4.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.4.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .wualk
Source: OLEACC.dll.4.dr	Static PE information: section name: .qdxz
Source: OLEACC.dll.4.dr	Static PE information: section name: .rkyg
Source: OLEACC.dll.4.dr	Static PE information: section name: .psul
Source: OLEACC.dll.4.dr	Static PE information: section name: .pyjm
Source: OLEACC.dll.4.dr	Static PE information: section name: .eoadme
Source: OLEACC.dll.4.dr	Static PE information: section name: .fnz
Source: OLEACC.dll.4.dr	Static PE information: section name: .gwheg
Source: OLEACC.dll.4.dr	Static PE information: section name: .fcd
Source: OLEACC.dll.4.dr	Static PE information: section name: .dwk
Source: OLEACC.dll.4.dr	Static PE information: section name: .hgy
Source: OLEACC.dll.4.dr	Static PE information: section name: .nfm
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmfqd
Source: OLEACC.dll.4.dr	Static PE information: section name: .buzyfh
Source: OLEACC.dll.4.dr	Static PE information: section name: .towo
Source: OLEACC.dll.4.dr	Static PE information: section name: .omwdbg
Source: OLEACC.dll.4.dr	Static PE information: section name: .virw
Source: OLEACC.dll.4.dr	Static PE information: section name: .bck
Source: OLEACC.dll.4.dr	Static PE information: section name: .mbhfb
Source: OLEACC.dll.4.dr	Static PE information: section name: .kix
Source: OLEACC.dll.4.dr	Static PE information: section name: .gurzs
Source: OLEACC.dll.4.dr	Static PE information: section name: .dzdoj
Source: OLEACC.dll.4.dr	Static PE information: section name: .egret
Source: OLEACC.dll.4.dr	Static PE information: section name: .ftpyc
Source: OLEACC.dll.4.dr	Static PE information: section name: .qrc
Source: OLEACC.dll.4.dr	Static PE information: section name: .tnnx
Source: OLEACC.dll.4.dr	Static PE information: section name: .vsjhk
Source: OLEACC.dll.4.dr	Static PE information: section name: .fmswwe
Source: OLEACC.dll.4.dr	Static PE information: section name: .zfhn
Source: OLEACC.dll.4.dr	Static PE information: section name: .ejdgrp
Source: OLEACC.dll.4.dr	Static PE information: section name: .soyat
Source: OLEACC.dll.4.dr	Static PE information: section name: .jlil
Source: OLEACC.dll.4.dr	Static PE information: section name: .bojgf
Source: OLEACC.dll.4.dr	Static PE information: section name: .gvsnik
Source: OLEACC.dll.4.dr	Static PE information: section name: .lsc
Source: OLEACC.dll.4.dr	Static PE information: section name: .uepvem
Source: OLEACC.dll.4.dr	Static PE information: section name: .don
Source: OLEACC.dll.4.dr	Static PE information: section name: .dqju
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmgrql
Source: OLEACC.dll.4.dr	Static PE information: section name: .cjrd
Source: OLEACC.dll.4.dr	Static PE information: section name: .pfd

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

PE file contains an invalid checksum

Source: A2qAaSVuU2.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x223a17
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x271ee0
Source: UxTheme.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x228f66
Source: Secur32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2279c4
Source: ReAgent.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22a27a
Source: WINSTA.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22fc17
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2290e6
Source: OLEACC.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22356c
Source: UxTheme.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2261cf

Binary contains a suspicious time stamp

Source: MusNotificationUx.exe.4.dr

Static PE information: 0x6655844F [Tue May 28 07:14:23 2024 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\Secur32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D404F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	41_2_00007FF657D404F8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	41_2_00007FF657D42884
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42F5C IsWindowVisible,IsIconic,	41_2_00007FF657D42F5C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D41B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	41_2_00007FF657D41B44
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	41_2_00007FF657D3CF28
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D39A6C IsIconic,GetWindowPlacement,GetWindowRect,	41_2_00007FF657D39A6C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CE48 IsIconic,GetWindowPlacement,GetLastError,	41_2_00007FF657D3CE48
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	41_2_00007FF657D439A0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	41_2_00007FF657D3F5A4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DBC560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	41_2_00007FF657DBC560

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC81613C memset,memset,GetSystemDirectoryW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

24_2_00007FF7BC81613C

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1392

Thread sleep count: 33 > 30

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8351F4 GetSystemTimeAsFileTime followed by cmp: cmp r9d, 01h and CTI: je 00007FF7BC835362h	24_2_00007FF7BC8351F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7410 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rsp+20h], 03h and CTI: jne 00007FF7BC7D762Ch	24_2_00007FF7BC7D7410
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF618AFF436h	29_2_00007FF618AFF360

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80B77C SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiEnumDeviceInterfaces,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,

24_2_00007FF7BC80B77C

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC7DB29C

Source: explorer.exe, 00000004.00000000.266212445.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.302594165.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir""
Source: explorer.exe, 00000004.00000000.272328344.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.303493974.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4028 IsDebuggerPresent,GetCurrentThreadId,GetCurrentThreadId,OutputDebugStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

24_2_00007FF7BC7D4028

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW,

21_2_00007FF727F82940

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F81090 GetProcessHeap,

21_2_00007FF727F81090

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83C80 SetUnhandledExceptionFilter,	21_2_00007FF727F83C80
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF727F83F04
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC85864C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7BC85864C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8583E0 SetUnhandledExceptionFilter,	24_2_00007FF7BC8583E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14AC0 SetUnhandledExceptionFilter,	29_2_00007FF618B14AC0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF618B14768
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BF2E0 SetUnhandledExceptionFilter,	34_2_00007FF74A7BF2E0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF74A7BEE40
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A2B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF6F232A2B0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A4B0 SetUnhandledExceptionFilter,	36_2_00007FF6F232A4B0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657E52264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FF657E52264

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

Code function: 36_2_00007FF6F2326264 memset,memset,#345,DialogBoxParamW,DialogBoxParamW,Sleep,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,LoadStringW,LoadStringW,LoadStringW,#344,

36_2_00007FF6F2326264

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855D8C AllocateAndInitializeSid,GetLastError,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,CreateFileW,SetSecurityInfo,CloseHandle,GetProcessHeap,HeapFree,FreeSid,GetProcessHeap,HeapFree,

24_2_00007FF7BC855D8C

Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp, SndVol.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.300560024.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp	Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: memset,memset,GetLocaleInfoW,GetLastError,wcstoul,GetLocaleInfoW,GetLastError,GetNumberFormatW,GetLastError,GetProcessHeap,HeapAlloc,GetNumberFormatW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,		34_2_00007FF74A7B9EF4

Queries device information via Setup API

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC80B77C

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F83E10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

21_2_00007FF727F83E10

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4344 GetTimeZoneInformation,GetLastError,GetSystemTime,SystemTimeToTzSpecificLocalTime,

24_2_00007FF7BC7D4344

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80BB70 memset,RtlGetVersion,SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiGetDeviceInterfacePropertyW,GetLastError,CreateFileW,GetLastError,DeviceIoControl,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,

24_2_00007FF7BC80BB70

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted Domains

Name	IP	Active
clientconfig.passport.net	unknown	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%	Perma Link
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%	Perma Link
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Antivirus / Scanner detection for submitted sample

Source: A2qAaSVuU2.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: A2qAaSVuU2.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\VgY\Secur32.dll	Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A0C4 CryptReleaseContext,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,	24_2_00007FF7BC80A0C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80998C GetProcessHeap,HeapFree,CryptReleaseContext,GetProcessHeap,HeapFree,	24_2_00007FF7BC80998C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809A24 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC809A24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80AC28 CryptGetUserKey,GetLastError,CryptDestroyKey,	24_2_00007FF7BC80AC28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8087EC UuidCreate,UuidToStringW,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,RpcStringFreeW,	24_2_00007FF7BC8087EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80A198 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,	24_2_00007FF7BC80A198
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8082F0 CryptGenKey,GetLastError,CryptDestroyKey,GetProcessHeap,HeapAlloc,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC8082F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B18290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,	29_2_00007FF618B18290
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325B64 CryptProtectData,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LocalFree,	36_2_00007FF6F2325B64
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2325DD8 memset,RegOpenKeyW,RegQueryValueExW,LocalAlloc,RegQueryValueExW,RegCloseKey,LocalFree,CryptUnprotectData,LocalFree,LocalFree,	36_2_00007FF6F2325DD8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF52C CryptProtectData,LocalAlloc,LocalFree,	41_2_00007FF657DAF52C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DAF8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	41_2_00007FF657DAF8FC

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

36_2_00007FF6F23211E0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC7DB29C

Source: SndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmp

String found in binary or memory: http://schemas.micro

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,	24_2_00007FF7BC8043E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,	24_2_00007FF7BC8084E4

System Summary:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,

24_2_00007FF7BC855C64

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F81424	21_2_00007FF727F81424
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821DAC	24_2_00007FF7BC821DAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8D98	24_2_00007FF7BC7D8D98
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7DE0	24_2_00007FF7BC7D7DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832DE0	24_2_00007FF7BC832DE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC846D24	24_2_00007FF7BC846D24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EBD70	24_2_00007FF7BC7EBD70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC842EA8	24_2_00007FF7BC842EA8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC845EB0	24_2_00007FF7BC845EB0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EAEEC	24_2_00007FF7BC7EAEEC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D1E50	24_2_00007FF7BC7D1E50
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81BE40	24_2_00007FF7BC81BE40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816E74	24_2_00007FF7BC816E74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6FC4	24_2_00007FF7BC7F6FC4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC807FD4	24_2_00007FF7BC807FD4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DFF0	24_2_00007FF7BC82DFF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F2FE8	24_2_00007FF7BC7F2FE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6000	24_2_00007FF7BC7D6000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8010	24_2_00007FF7BC7D8010
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819000	24_2_00007FF7BC819000
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83EF24	24_2_00007FF7BC83EF24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82EF40	24_2_00007FF7BC82EF40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830F40	24_2_00007FF7BC830F40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E0F74	24_2_00007FF7BC7E0F74
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FC0A0	24_2_00007FF7BC7FC0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EE0A0	24_2_00007FF7BC7EE0A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83D0C0	24_2_00007FF7BC83D0C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EF0F0	24_2_00007FF7BC7EF0F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8260E0	24_2_00007FF7BC8260E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83E104	24_2_00007FF7BC83E104
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F020	24_2_00007FF7BC84F020
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC804064	24_2_00007FF7BC804064
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7058	24_2_00007FF7BC7D7058
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC802074	24_2_00007FF7BC802074
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A080	24_2_00007FF7BC84A080
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E19A0	24_2_00007FF7BC7E19A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8409B0	24_2_00007FF7BC8409B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8009C4	24_2_00007FF7BC8009C4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FF9F0	24_2_00007FF7BC7FF9F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E89F0	24_2_00007FF7BC7E89F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7A00	24_2_00007FF7BC7D7A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FE9FC	24_2_00007FF7BC7FE9FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DCA0C	24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC827A00	24_2_00007FF7BC827A00
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F8980	24_2_00007FF7BC7F8980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC823980	24_2_00007FF7BC823980
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D9AB4	24_2_00007FF7BC7D9AB4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84FA9C	24_2_00007FF7BC84FA9C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E9AE0	24_2_00007FF7BC7E9AE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ECAF0	24_2_00007FF7BC7ECAF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC837B10	24_2_00007FF7BC837B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831B10	24_2_00007FF7BC831B10
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834B14	24_2_00007FF7BC834B14
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813A30	24_2_00007FF7BC813A30
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F3A1C	24_2_00007FF7BC7F3A1C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82DA40	24_2_00007FF7BC82DA40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC838A90	24_2_00007FF7BC838A90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84DBA0	24_2_00007FF7BC84DBA0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D6BDC	24_2_00007FF7BC7D6BDC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC833C08	24_2_00007FF7BC833C08
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F9B24	24_2_00007FF7BC7F9B24
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80FB18	24_2_00007FF7BC80FB18
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80BB70	24_2_00007FF7BC80BB70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1CAC	24_2_00007FF7BC7E1CAC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DBCE0	24_2_00007FF7BC7DBCE0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FFCF0	24_2_00007FF7BC7FFCF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7EFC40	24_2_00007FF7BC7EFC40
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC829C70	24_2_00007FF7BC829C70
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FBC58	24_2_00007FF7BC7FBC58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC830C90	24_2_00007FF7BC830C90
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC808C80	24_2_00007FF7BC808C80
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E85EC	24_2_00007FF7BC7E85EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC831608	24_2_00007FF7BC831608
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC814610	24_2_00007FF7BC814610
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E3530	24_2_00007FF7BC7E3530
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC832590	24_2_00007FF7BC832590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC841578	24_2_00007FF7BC841578
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8590	24_2_00007FF7BC7D8590
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FA6F4	24_2_00007FF7BC7FA6F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83566C	24_2_00007FF7BC83566C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F7684	24_2_00007FF7BC7F7684
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D568C	24_2_00007FF7BC7D568C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8227A0	24_2_00007FF7BC8227A0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DA7C0	24_2_00007FF7BC7DA7C0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC847808	24_2_00007FF7BC847808
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84A810	24_2_00007FF7BC84A810
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82474C	24_2_00007FF7BC82474C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC801740	24_2_00007FF7BC801740
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7FB76C	24_2_00007FF7BC7FB76C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82F790	24_2_00007FF7BC82F790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D8790	24_2_00007FF7BC7D8790
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80B77C	24_2_00007FF7BC80B77C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83F780	24_2_00007FF7BC83F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84F780	24_2_00007FF7BC84F780
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82089C	24_2_00007FF7BC82089C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8398E0	24_2_00007FF7BC8398E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8491D0	24_2_00007FF7BC8491D0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E1D8	24_2_00007FF7BC80E1D8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E720C	24_2_00007FF7BC7E720C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC836200	24_2_00007FF7BC836200
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81012C	24_2_00007FF7BC81012C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E1130	24_2_00007FF7BC7E1130
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC839170	24_2_00007FF7BC839170
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC857160	24_2_00007FF7BC857160
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84517C	24_2_00007FF7BC84517C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DB29C	24_2_00007FF7BC7DB29C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC834298	24_2_00007FF7BC834298
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D52AC	24_2_00007FF7BC7D52AC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8442D4	24_2_00007FF7BC8442D4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DD2E0	24_2_00007FF7BC7DD2E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8282F0	24_2_00007FF7BC8282F0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8012EC	24_2_00007FF7BC8012EC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F224C	24_2_00007FF7BC7F224C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC813270	24_2_00007FF7BC813270
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC809264	24_2_00007FF7BC809264
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7ED290	24_2_00007FF7BC7ED290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84340C	24_2_00007FF7BC84340C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC821320	24_2_00007FF7BC821320
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DF378	24_2_00007FF7BC7DF378
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8384A4	24_2_00007FF7BC8384A4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82A4E0	24_2_00007FF7BC82A4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC82E4E0	24_2_00007FF7BC82E4E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8084E4	24_2_00007FF7BC8084E4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC83B510	24_2_00007FF7BC83B510
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DC430	24_2_00007FF7BC7DC430
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80343C	24_2_00007FF7BC80343C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4454	24_2_00007FF7BC7F4454
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B019F0	29_2_00007FF618B019F0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA9EC	29_2_00007FF618AFA9EC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD9E4	29_2_00007FF618AFD9E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF71D8	29_2_00007FF618AF71D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB5C0	29_2_00007FF618AFB5C0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC5B8	29_2_00007FF618AFC5B8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCE18	29_2_00007FF618AFCE18
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0E5DC	29_2_00007FF618B0E5DC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04208	29_2_00007FF618B04208
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B109E8	29_2_00007FF618B109E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF61FC	29_2_00007FF618AF61FC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03570	29_2_00007FF618B03570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0ED88	29_2_00007FF618B0ED88
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B169A8	29_2_00007FF618B169A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0CDA8	29_2_00007FF618B0CDA8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A16C	29_2_00007FF618B0A16C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C570	29_2_00007FF618B0C570
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD6E4	29_2_00007FF618AFD6E4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07EE0	29_2_00007FF618B07EE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0C318	29_2_00007FF618B0C318
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBEC4	29_2_00007FF618AFBEC4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BEB8	29_2_00007FF618B0BEB8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A6C8	29_2_00007FF618B0A6C8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B02720	29_2_00007FF618B02720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B07720	29_2_00007FF618B07720
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B186D8	29_2_00007FF618B186D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFA26C	29_2_00007FF618AFA26C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11688	29_2_00007FF618B11688
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC25C	29_2_00007FF618AFC25C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF67F4	29_2_00007FF618AF67F4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFD3E8	29_2_00007FF618AFD3E8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9FE8	29_2_00007FF618AF9FE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFCBE4	29_2_00007FF618AFCBE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0AC0C	29_2_00007FF618B0AC0C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B007D8	29_2_00007FF618B007D8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B05C2C	29_2_00007FF618B05C2C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B08BCC	29_2_00007FF618B08BCC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB80C	29_2_00007FF618AFB80C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B083E0	29_2_00007FF618B083E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFBB68	29_2_00007FF618AFBB68
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF4760	29_2_00007FF618AF4760
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360	29_2_00007FF618AFF360
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06754	29_2_00007FF618B06754
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0BBAC	29_2_00007FF618B0BBAC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1C3B4	29_2_00007FF618B1C3B4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F33C	29_2_00007FF618B0F33C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B047A8	29_2_00007FF618B047A8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB38C	29_2_00007FF618AFB38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE38C	29_2_00007FF618AFE38C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06B7C	29_2_00007FF618B06B7C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFECE8	29_2_00007FF618AFECE8
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFDCE4	29_2_00007FF618AFDCE4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B03CE0	29_2_00007FF618B03CE0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B044C4	29_2_00007FF618B044C4
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11130	29_2_00007FF618B11130
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AF9D28	29_2_00007FF618AF9D28
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0F8CC	29_2_00007FF618B0F8CC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFC908	29_2_00007FF618AFC908
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B01100	29_2_00007FF618B01100
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFACFC	29_2_00007FF618AFACFC
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B06048	29_2_00007FF618B06048
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFE040	29_2_00007FF618AFE040
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFB03C	29_2_00007FF618AFB03C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B11CB0	29_2_00007FF618B11CB0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0944C	29_2_00007FF618B0944C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1044C	29_2_00007FF618B1044C
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0D054	29_2_00007FF618B0D054
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B04C80	29_2_00007FF618B04C80
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B0A070	29_2_00007FF618B0A070
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B03A0	34_2_00007FF74A7B03A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B2BD8	34_2_00007FF74A7B2BD8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B3718	34_2_00007FF74A7B3718
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B0CA8	34_2_00007FF74A7B0CA8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BC4D0	34_2_00007FF74A7BC4D0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A44E8	34_2_00007FF74A7A44E8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3514	34_2_00007FF74A7A3514
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A3080	34_2_00007FF74A7A3080
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BB088	34_2_00007FF74A7BB088
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA1A0	34_2_00007FF74A7AA1A0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8	34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A8310	34_2_00007FF74A7A8310
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7B4F10	34_2_00007FF74A7B4F10
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7A6218	34_2_00007FF74A7A6218
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2321B80	36_2_00007FF6F2321B80
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2324600	36_2_00007FF6F2324600
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2328BC8	36_2_00007FF6F2328BC8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F2322CD0	36_2_00007FF6F2322CD0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23241D8	36_2_00007FF6F23241D8
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F23211E0	36_2_00007FF6F23211E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D464DC	41_2_00007FF657D464DC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D484C0	41_2_00007FF657D484C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4A858	41_2_00007FF657D4A858
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48060	41_2_00007FF657D48060
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D35410	41_2_00007FF657D35410
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D477C0	41_2_00007FF657D477C0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D36B94	41_2_00007FF657D36B94
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D74320	41_2_00007FF657D74320
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D512E0	41_2_00007FF657D512E0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D34EC4	41_2_00007FF657D34EC4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4EAB4	41_2_00007FF657D4EAB4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DC1690	41_2_00007FF657DC1690
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3DA8C	41_2_00007FF657D3DA8C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D4CE08	41_2_00007FF657D4CE08
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D435EC	41_2_00007FF657D435EC
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D48DF0	41_2_00007FF657D48DF0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0	41_2_00007FF657D439A0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC81CA8C appears 41 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7DE9C4 appears 36 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC80D0A8 appears 57 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3D44 appears 916 times
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: String function: 00007FF7BC7D3B08 appears 48 times

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7DFFE8 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlFreeHeap,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC7DFFE8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A090 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,	24_2_00007FF7BC81A090
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A9C8 memset,CreateFileW,NtClose,	24_2_00007FF7BC81A9C8
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A984 NtReadFile,	24_2_00007FF7BC81A984
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81AAFC GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FlushFileBuffers,GetLastError,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81AAFC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC819B58 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,	24_2_00007FF7BC819B58
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,	24_2_00007FF7BC855C64
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81C56C NtQuerySystemInformation,	24_2_00007FF7BC81C56C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D273C memset,memset,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapAlloc,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetEvent,NtPowerInformation,PowerCreateRequest,PowerSetRequest,PowerSetRequest,SetThreadExecutionState,memset,GetSystemWindowsDirectoryW,GetLastError,SetThreadExecutionState,PowerClearRequest,CloseHandle,SetEvent,GetProcessHeap,HeapFree,	24_2_00007FF7BC7D273C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC84E3E0 memset,RtlGetVersion,GetCurrentProcess,SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationThread,NtSetInformationProcess,NtSetInformationThread,	24_2_00007FF7BC84E3E0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC812350 memset,memset,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetLastError,SetLastError,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,UuidCreate,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,	24_2_00007FF7BC812350
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81A38C GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,	24_2_00007FF7BC81A38C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC80FE20: SetLastError,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetProcessHeap,HeapFree,SetLastError,

24_2_00007FF7BC80FE20

PE file contains strange resources

Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RecoveryDrive.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EhStorAuthn.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Magnify.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: windows.globalization.dll

Jump to behavior

PE file contains more sections than normal

Source: A2qAaSVuU2.dll	Static PE information: Number of sections : 58 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 59 > 10
Source: Secur32.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: ReAgent.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: WINSTA.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: OLEACC.dll.4.dr	Static PE information: Number of sections : 59 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 59 > 10

Source: A2qAaSVuU2.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ReAgent.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: A2qAaSVuU2.dll	Virustotal: Detection: 64%
Source: A2qAaSVuU2.dll	Metadefender: Detection: 62%
Source: A2qAaSVuU2.dll	ReversingLabs: Detection: 84%

Source: A2qAaSVuU2.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81CBF0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,	24_2_00007FF7BC81CBF0
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC816644 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AdjustTokenPrivileges,SetThreadToken,CloseHandle,CloseHandle,	24_2_00007FF7BC816644
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC811900 AdjustTokenPrivileges,GetLastError,CloseHandle,	24_2_00007FF7BC811900
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B16588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,	29_2_00007FF618B16588

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@40/17@1/0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

21_2_00007FF727F81424

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC855070 FormatMessageW,GetLastError,LocalFree,SysFreeString,LeaveCriticalSection,

24_2_00007FF7BC855070

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{79834223-9b8b-fb74-ddfa-b0860ef73558}
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\{e1b7b966-7536-5d87-307b-f7b104c280aa}

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82128 LoadResource,LockResource,SizeofResource,

21_2_00007FF727F82128

Source: A2qAaSVuU2.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: A2qAaSVuU2.dll

Static file information: File size 2232320 > 1048576

Source: A2qAaSVuU2.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
Source:	Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
Source:	Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
Source:	Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140056A4D push rdi; ret

0_2_0000000140056A4E

PE file contains sections with non-standard names

Source: A2qAaSVuU2.dll	Static PE information: section name: .qkm
Source: A2qAaSVuU2.dll	Static PE information: section name: .cvjb
Source: A2qAaSVuU2.dll	Static PE information: section name: .tlmkv
Source: A2qAaSVuU2.dll	Static PE information: section name: .wucsxe
Source: A2qAaSVuU2.dll	Static PE information: section name: .fltwtj
Source: A2qAaSVuU2.dll	Static PE information: section name: .sfplio
Source: A2qAaSVuU2.dll	Static PE information: section name: .rpg
Source: A2qAaSVuU2.dll	Static PE information: section name: .bewzc
Source: A2qAaSVuU2.dll	Static PE information: section name: .vksvaw
Source: A2qAaSVuU2.dll	Static PE information: section name: .wmhg
Source: A2qAaSVuU2.dll	Static PE information: section name: .kswemc
Source: A2qAaSVuU2.dll	Static PE information: section name: .kaxfk
Source: A2qAaSVuU2.dll	Static PE information: section name: .wualk
Source: A2qAaSVuU2.dll	Static PE information: section name: .qdxz
Source: A2qAaSVuU2.dll	Static PE information: section name: .rkyg
Source: A2qAaSVuU2.dll	Static PE information: section name: .psul
Source: A2qAaSVuU2.dll	Static PE information: section name: .pyjm
Source: A2qAaSVuU2.dll	Static PE information: section name: .eoadme
Source: A2qAaSVuU2.dll	Static PE information: section name: .fnz
Source: A2qAaSVuU2.dll	Static PE information: section name: .gwheg
Source: A2qAaSVuU2.dll	Static PE information: section name: .fcd
Source: A2qAaSVuU2.dll	Static PE information: section name: .dwk
Source: A2qAaSVuU2.dll	Static PE information: section name: .hgy
Source: A2qAaSVuU2.dll	Static PE information: section name: .nfm
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmfqd
Source: A2qAaSVuU2.dll	Static PE information: section name: .buzyfh
Source: A2qAaSVuU2.dll	Static PE information: section name: .towo
Source: A2qAaSVuU2.dll	Static PE information: section name: .omwdbg
Source: A2qAaSVuU2.dll	Static PE information: section name: .virw
Source: A2qAaSVuU2.dll	Static PE information: section name: .bck
Source: A2qAaSVuU2.dll	Static PE information: section name: .mbhfb
Source: A2qAaSVuU2.dll	Static PE information: section name: .kix
Source: A2qAaSVuU2.dll	Static PE information: section name: .gurzs
Source: A2qAaSVuU2.dll	Static PE information: section name: .dzdoj
Source: A2qAaSVuU2.dll	Static PE information: section name: .egret
Source: A2qAaSVuU2.dll	Static PE information: section name: .ftpyc
Source: A2qAaSVuU2.dll	Static PE information: section name: .qrc
Source: A2qAaSVuU2.dll	Static PE information: section name: .tnnx
Source: A2qAaSVuU2.dll	Static PE information: section name: .vsjhk
Source: A2qAaSVuU2.dll	Static PE information: section name: .fmswwe
Source: A2qAaSVuU2.dll	Static PE information: section name: .zfhn
Source: A2qAaSVuU2.dll	Static PE information: section name: .ejdgrp
Source: A2qAaSVuU2.dll	Static PE information: section name: .soyat
Source: A2qAaSVuU2.dll	Static PE information: section name: .jlil
Source: A2qAaSVuU2.dll	Static PE information: section name: .bojgf
Source: A2qAaSVuU2.dll	Static PE information: section name: .gvsnik
Source: A2qAaSVuU2.dll	Static PE information: section name: .lsc
Source: A2qAaSVuU2.dll	Static PE information: section name: .uepvem
Source: A2qAaSVuU2.dll	Static PE information: section name: .don
Source: A2qAaSVuU2.dll	Static PE information: section name: .dqju
Source: A2qAaSVuU2.dll	Static PE information: section name: .qmgrql
Source: A2qAaSVuU2.dll	Static PE information: section name: .cjrd
Source: SysResetErr.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: mstsc.exe.4.dr	Static PE information: section name: .didat
Source: DisplaySwitch.exe.4.dr	Static PE information: section name: .imrsiv
Source: DUI70.dll.4.dr	Static PE information: section name: .qkm
Source: DUI70.dll.4.dr	Static PE information: section name: .cvjb
Source: DUI70.dll.4.dr	Static PE information: section name: .tlmkv
Source: DUI70.dll.4.dr	Static PE information: section name: .wucsxe
Source: DUI70.dll.4.dr	Static PE information: section name: .fltwtj
Source: DUI70.dll.4.dr	Static PE information: section name: .sfplio
Source: DUI70.dll.4.dr	Static PE information: section name: .rpg
Source: DUI70.dll.4.dr	Static PE information: section name: .bewzc
Source: DUI70.dll.4.dr	Static PE information: section name: .vksvaw
Source: DUI70.dll.4.dr	Static PE information: section name: .wmhg
Source: DUI70.dll.4.dr	Static PE information: section name: .kswemc
Source: DUI70.dll.4.dr	Static PE information: section name: .kaxfk
Source: DUI70.dll.4.dr	Static PE information: section name: .wualk
Source: DUI70.dll.4.dr	Static PE information: section name: .qdxz
Source: DUI70.dll.4.dr	Static PE information: section name: .rkyg
Source: DUI70.dll.4.dr	Static PE information: section name: .psul
Source: DUI70.dll.4.dr	Static PE information: section name: .pyjm
Source: DUI70.dll.4.dr	Static PE information: section name: .eoadme
Source: DUI70.dll.4.dr	Static PE information: section name: .fnz
Source: DUI70.dll.4.dr	Static PE information: section name: .gwheg
Source: DUI70.dll.4.dr	Static PE information: section name: .fcd
Source: DUI70.dll.4.dr	Static PE information: section name: .dwk
Source: DUI70.dll.4.dr	Static PE information: section name: .hgy
Source: DUI70.dll.4.dr	Static PE information: section name: .nfm
Source: DUI70.dll.4.dr	Static PE information: section name: .qmfqd
Source: DUI70.dll.4.dr	Static PE information: section name: .buzyfh
Source: DUI70.dll.4.dr	Static PE information: section name: .towo
Source: DUI70.dll.4.dr	Static PE information: section name: .omwdbg
Source: DUI70.dll.4.dr	Static PE information: section name: .virw
Source: DUI70.dll.4.dr	Static PE information: section name: .bck
Source: DUI70.dll.4.dr	Static PE information: section name: .mbhfb
Source: DUI70.dll.4.dr	Static PE information: section name: .kix
Source: DUI70.dll.4.dr	Static PE information: section name: .gurzs
Source: DUI70.dll.4.dr	Static PE information: section name: .dzdoj
Source: DUI70.dll.4.dr	Static PE information: section name: .egret
Source: DUI70.dll.4.dr	Static PE information: section name: .ftpyc
Source: DUI70.dll.4.dr	Static PE information: section name: .qrc
Source: DUI70.dll.4.dr	Static PE information: section name: .tnnx
Source: DUI70.dll.4.dr	Static PE information: section name: .vsjhk
Source: DUI70.dll.4.dr	Static PE information: section name: .fmswwe
Source: DUI70.dll.4.dr	Static PE information: section name: .zfhn
Source: DUI70.dll.4.dr	Static PE information: section name: .ejdgrp
Source: DUI70.dll.4.dr	Static PE information: section name: .soyat
Source: DUI70.dll.4.dr	Static PE information: section name: .jlil
Source: DUI70.dll.4.dr	Static PE information: section name: .bojgf
Source: DUI70.dll.4.dr	Static PE information: section name: .gvsnik
Source: DUI70.dll.4.dr	Static PE information: section name: .lsc
Source: DUI70.dll.4.dr	Static PE information: section name: .uepvem
Source: DUI70.dll.4.dr	Static PE information: section name: .don
Source: DUI70.dll.4.dr	Static PE information: section name: .dqju
Source: DUI70.dll.4.dr	Static PE information: section name: .qmgrql
Source: DUI70.dll.4.dr	Static PE information: section name: .cjrd
Source: DUI70.dll.4.dr	Static PE information: section name: .qnro
Source: ReAgent.dll.4.dr	Static PE information: section name: .qkm
Source: ReAgent.dll.4.dr	Static PE information: section name: .cvjb
Source: ReAgent.dll.4.dr	Static PE information: section name: .tlmkv
Source: ReAgent.dll.4.dr	Static PE information: section name: .wucsxe
Source: ReAgent.dll.4.dr	Static PE information: section name: .fltwtj
Source: ReAgent.dll.4.dr	Static PE information: section name: .sfplio
Source: ReAgent.dll.4.dr	Static PE information: section name: .rpg
Source: ReAgent.dll.4.dr	Static PE information: section name: .bewzc
Source: ReAgent.dll.4.dr	Static PE information: section name: .vksvaw
Source: ReAgent.dll.4.dr	Static PE information: section name: .wmhg
Source: ReAgent.dll.4.dr	Static PE information: section name: .kswemc
Source: ReAgent.dll.4.dr	Static PE information: section name: .kaxfk
Source: ReAgent.dll.4.dr	Static PE information: section name: .wualk
Source: ReAgent.dll.4.dr	Static PE information: section name: .qdxz
Source: ReAgent.dll.4.dr	Static PE information: section name: .rkyg
Source: ReAgent.dll.4.dr	Static PE information: section name: .psul
Source: ReAgent.dll.4.dr	Static PE information: section name: .pyjm
Source: ReAgent.dll.4.dr	Static PE information: section name: .eoadme
Source: ReAgent.dll.4.dr	Static PE information: section name: .fnz
Source: ReAgent.dll.4.dr	Static PE information: section name: .gwheg
Source: ReAgent.dll.4.dr	Static PE information: section name: .fcd
Source: ReAgent.dll.4.dr	Static PE information: section name: .dwk
Source: ReAgent.dll.4.dr	Static PE information: section name: .hgy
Source: ReAgent.dll.4.dr	Static PE information: section name: .nfm
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmfqd
Source: ReAgent.dll.4.dr	Static PE information: section name: .buzyfh
Source: ReAgent.dll.4.dr	Static PE information: section name: .towo
Source: ReAgent.dll.4.dr	Static PE information: section name: .omwdbg
Source: ReAgent.dll.4.dr	Static PE information: section name: .virw
Source: ReAgent.dll.4.dr	Static PE information: section name: .bck
Source: ReAgent.dll.4.dr	Static PE information: section name: .mbhfb
Source: ReAgent.dll.4.dr	Static PE information: section name: .kix
Source: ReAgent.dll.4.dr	Static PE information: section name: .gurzs
Source: ReAgent.dll.4.dr	Static PE information: section name: .dzdoj
Source: ReAgent.dll.4.dr	Static PE information: section name: .egret
Source: ReAgent.dll.4.dr	Static PE information: section name: .ftpyc
Source: ReAgent.dll.4.dr	Static PE information: section name: .qrc
Source: ReAgent.dll.4.dr	Static PE information: section name: .tnnx
Source: ReAgent.dll.4.dr	Static PE information: section name: .vsjhk
Source: ReAgent.dll.4.dr	Static PE information: section name: .fmswwe
Source: ReAgent.dll.4.dr	Static PE information: section name: .zfhn
Source: ReAgent.dll.4.dr	Static PE information: section name: .ejdgrp
Source: ReAgent.dll.4.dr	Static PE information: section name: .soyat
Source: ReAgent.dll.4.dr	Static PE information: section name: .jlil
Source: ReAgent.dll.4.dr	Static PE information: section name: .bojgf
Source: ReAgent.dll.4.dr	Static PE information: section name: .gvsnik
Source: ReAgent.dll.4.dr	Static PE information: section name: .lsc
Source: ReAgent.dll.4.dr	Static PE information: section name: .uepvem
Source: ReAgent.dll.4.dr	Static PE information: section name: .don
Source: ReAgent.dll.4.dr	Static PE information: section name: .dqju
Source: ReAgent.dll.4.dr	Static PE information: section name: .qmgrql
Source: ReAgent.dll.4.dr	Static PE information: section name: .cjrd
Source: ReAgent.dll.4.dr	Static PE information: section name: .lkgno
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.4.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.4.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.4.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.4.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.4.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.4.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.4.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.4.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.4.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.4.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.4.dr	Static PE information: section name: .wualk
Source: XmlLite.dll.4.dr	Static PE information: section name: .qdxz
Source: XmlLite.dll.4.dr	Static PE information: section name: .rkyg
Source: XmlLite.dll.4.dr	Static PE information: section name: .psul
Source: XmlLite.dll.4.dr	Static PE information: section name: .pyjm
Source: XmlLite.dll.4.dr	Static PE information: section name: .eoadme
Source: XmlLite.dll.4.dr	Static PE information: section name: .fnz
Source: XmlLite.dll.4.dr	Static PE information: section name: .gwheg
Source: XmlLite.dll.4.dr	Static PE information: section name: .fcd
Source: XmlLite.dll.4.dr	Static PE information: section name: .dwk
Source: XmlLite.dll.4.dr	Static PE information: section name: .hgy
Source: XmlLite.dll.4.dr	Static PE information: section name: .nfm
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmfqd
Source: XmlLite.dll.4.dr	Static PE information: section name: .buzyfh
Source: XmlLite.dll.4.dr	Static PE information: section name: .towo
Source: XmlLite.dll.4.dr	Static PE information: section name: .omwdbg
Source: XmlLite.dll.4.dr	Static PE information: section name: .virw
Source: XmlLite.dll.4.dr	Static PE information: section name: .bck
Source: XmlLite.dll.4.dr	Static PE information: section name: .mbhfb
Source: XmlLite.dll.4.dr	Static PE information: section name: .kix
Source: XmlLite.dll.4.dr	Static PE information: section name: .gurzs
Source: XmlLite.dll.4.dr	Static PE information: section name: .dzdoj
Source: XmlLite.dll.4.dr	Static PE information: section name: .egret
Source: XmlLite.dll.4.dr	Static PE information: section name: .ftpyc
Source: XmlLite.dll.4.dr	Static PE information: section name: .qrc
Source: XmlLite.dll.4.dr	Static PE information: section name: .tnnx
Source: XmlLite.dll.4.dr	Static PE information: section name: .vsjhk
Source: XmlLite.dll.4.dr	Static PE information: section name: .fmswwe
Source: XmlLite.dll.4.dr	Static PE information: section name: .zfhn
Source: XmlLite.dll.4.dr	Static PE information: section name: .ejdgrp
Source: XmlLite.dll.4.dr	Static PE information: section name: .soyat
Source: XmlLite.dll.4.dr	Static PE information: section name: .jlil
Source: XmlLite.dll.4.dr	Static PE information: section name: .bojgf
Source: XmlLite.dll.4.dr	Static PE information: section name: .gvsnik
Source: XmlLite.dll.4.dr	Static PE information: section name: .lsc
Source: XmlLite.dll.4.dr	Static PE information: section name: .uepvem
Source: XmlLite.dll.4.dr	Static PE information: section name: .don
Source: XmlLite.dll.4.dr	Static PE information: section name: .dqju
Source: XmlLite.dll.4.dr	Static PE information: section name: .qmgrql
Source: XmlLite.dll.4.dr	Static PE information: section name: .cjrd
Source: XmlLite.dll.4.dr	Static PE information: section name: .rntf
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll.4.dr	Static PE information: section name: .don
Source: UxTheme.dll.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll.4.dr	Static PE information: section name: .voxunw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qkm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cvjb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tlmkv
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wucsxe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fltwtj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .sfplio
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rpg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bewzc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vksvaw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wmhg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kswemc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kaxfk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .wualk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qdxz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .rkyg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .psul
Source: UxTheme.dll0.4.dr	Static PE information: section name: .pyjm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .eoadme
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fnz
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gwheg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fcd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dwk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .hgy
Source: UxTheme.dll0.4.dr	Static PE information: section name: .nfm
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmfqd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .buzyfh
Source: UxTheme.dll0.4.dr	Static PE information: section name: .towo
Source: UxTheme.dll0.4.dr	Static PE information: section name: .omwdbg
Source: UxTheme.dll0.4.dr	Static PE information: section name: .virw
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bck
Source: UxTheme.dll0.4.dr	Static PE information: section name: .mbhfb
Source: UxTheme.dll0.4.dr	Static PE information: section name: .kix
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gurzs
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dzdoj
Source: UxTheme.dll0.4.dr	Static PE information: section name: .egret
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ftpyc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qrc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .tnnx
Source: UxTheme.dll0.4.dr	Static PE information: section name: .vsjhk
Source: UxTheme.dll0.4.dr	Static PE information: section name: .fmswwe
Source: UxTheme.dll0.4.dr	Static PE information: section name: .zfhn
Source: UxTheme.dll0.4.dr	Static PE information: section name: .ejdgrp
Source: UxTheme.dll0.4.dr	Static PE information: section name: .soyat
Source: UxTheme.dll0.4.dr	Static PE information: section name: .jlil
Source: UxTheme.dll0.4.dr	Static PE information: section name: .bojgf
Source: UxTheme.dll0.4.dr	Static PE information: section name: .gvsnik
Source: UxTheme.dll0.4.dr	Static PE information: section name: .lsc
Source: UxTheme.dll0.4.dr	Static PE information: section name: .uepvem
Source: UxTheme.dll0.4.dr	Static PE information: section name: .don
Source: UxTheme.dll0.4.dr	Static PE information: section name: .dqju
Source: UxTheme.dll0.4.dr	Static PE information: section name: .qmgrql
Source: UxTheme.dll0.4.dr	Static PE information: section name: .cjrd
Source: UxTheme.dll0.4.dr	Static PE information: section name: .alzpqi
Source: Secur32.dll.4.dr	Static PE information: section name: .qkm
Source: Secur32.dll.4.dr	Static PE information: section name: .cvjb
Source: Secur32.dll.4.dr	Static PE information: section name: .tlmkv
Source: Secur32.dll.4.dr	Static PE information: section name: .wucsxe
Source: Secur32.dll.4.dr	Static PE information: section name: .fltwtj
Source: Secur32.dll.4.dr	Static PE information: section name: .sfplio
Source: Secur32.dll.4.dr	Static PE information: section name: .rpg
Source: Secur32.dll.4.dr	Static PE information: section name: .bewzc
Source: Secur32.dll.4.dr	Static PE information: section name: .vksvaw
Source: Secur32.dll.4.dr	Static PE information: section name: .wmhg
Source: Secur32.dll.4.dr	Static PE information: section name: .kswemc
Source: Secur32.dll.4.dr	Static PE information: section name: .kaxfk
Source: Secur32.dll.4.dr	Static PE information: section name: .wualk
Source: Secur32.dll.4.dr	Static PE information: section name: .qdxz
Source: Secur32.dll.4.dr	Static PE information: section name: .rkyg
Source: Secur32.dll.4.dr	Static PE information: section name: .psul
Source: Secur32.dll.4.dr	Static PE information: section name: .pyjm
Source: Secur32.dll.4.dr	Static PE information: section name: .eoadme
Source: Secur32.dll.4.dr	Static PE information: section name: .fnz
Source: Secur32.dll.4.dr	Static PE information: section name: .gwheg
Source: Secur32.dll.4.dr	Static PE information: section name: .fcd
Source: Secur32.dll.4.dr	Static PE information: section name: .dwk
Source: Secur32.dll.4.dr	Static PE information: section name: .hgy
Source: Secur32.dll.4.dr	Static PE information: section name: .nfm
Source: Secur32.dll.4.dr	Static PE information: section name: .qmfqd
Source: Secur32.dll.4.dr	Static PE information: section name: .buzyfh
Source: Secur32.dll.4.dr	Static PE information: section name: .towo
Source: Secur32.dll.4.dr	Static PE information: section name: .omwdbg
Source: Secur32.dll.4.dr	Static PE information: section name: .virw
Source: Secur32.dll.4.dr	Static PE information: section name: .bck
Source: Secur32.dll.4.dr	Static PE information: section name: .mbhfb
Source: Secur32.dll.4.dr	Static PE information: section name: .kix
Source: Secur32.dll.4.dr	Static PE information: section name: .gurzs
Source: Secur32.dll.4.dr	Static PE information: section name: .dzdoj
Source: Secur32.dll.4.dr	Static PE information: section name: .egret
Source: Secur32.dll.4.dr	Static PE information: section name: .ftpyc
Source: Secur32.dll.4.dr	Static PE information: section name: .qrc
Source: Secur32.dll.4.dr	Static PE information: section name: .tnnx
Source: Secur32.dll.4.dr	Static PE information: section name: .vsjhk
Source: Secur32.dll.4.dr	Static PE information: section name: .fmswwe
Source: Secur32.dll.4.dr	Static PE information: section name: .zfhn
Source: Secur32.dll.4.dr	Static PE information: section name: .ejdgrp
Source: Secur32.dll.4.dr	Static PE information: section name: .soyat
Source: Secur32.dll.4.dr	Static PE information: section name: .jlil
Source: Secur32.dll.4.dr	Static PE information: section name: .bojgf
Source: Secur32.dll.4.dr	Static PE information: section name: .gvsnik
Source: Secur32.dll.4.dr	Static PE information: section name: .lsc
Source: Secur32.dll.4.dr	Static PE information: section name: .uepvem
Source: Secur32.dll.4.dr	Static PE information: section name: .don
Source: Secur32.dll.4.dr	Static PE information: section name: .dqju
Source: Secur32.dll.4.dr	Static PE information: section name: .qmgrql
Source: Secur32.dll.4.dr	Static PE information: section name: .cjrd
Source: Secur32.dll.4.dr	Static PE information: section name: .gfkt
Source: WINSTA.dll.4.dr	Static PE information: section name: .qkm
Source: WINSTA.dll.4.dr	Static PE information: section name: .cvjb
Source: WINSTA.dll.4.dr	Static PE information: section name: .tlmkv
Source: WINSTA.dll.4.dr	Static PE information: section name: .wucsxe
Source: WINSTA.dll.4.dr	Static PE information: section name: .fltwtj
Source: WINSTA.dll.4.dr	Static PE information: section name: .sfplio
Source: WINSTA.dll.4.dr	Static PE information: section name: .rpg
Source: WINSTA.dll.4.dr	Static PE information: section name: .bewzc
Source: WINSTA.dll.4.dr	Static PE information: section name: .vksvaw
Source: WINSTA.dll.4.dr	Static PE information: section name: .wmhg
Source: WINSTA.dll.4.dr	Static PE information: section name: .kswemc
Source: WINSTA.dll.4.dr	Static PE information: section name: .kaxfk
Source: WINSTA.dll.4.dr	Static PE information: section name: .wualk
Source: WINSTA.dll.4.dr	Static PE information: section name: .qdxz
Source: WINSTA.dll.4.dr	Static PE information: section name: .rkyg
Source: WINSTA.dll.4.dr	Static PE information: section name: .psul
Source: WINSTA.dll.4.dr	Static PE information: section name: .pyjm
Source: WINSTA.dll.4.dr	Static PE information: section name: .eoadme
Source: WINSTA.dll.4.dr	Static PE information: section name: .fnz
Source: WINSTA.dll.4.dr	Static PE information: section name: .gwheg
Source: WINSTA.dll.4.dr	Static PE information: section name: .fcd
Source: WINSTA.dll.4.dr	Static PE information: section name: .dwk
Source: WINSTA.dll.4.dr	Static PE information: section name: .hgy
Source: WINSTA.dll.4.dr	Static PE information: section name: .nfm
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmfqd
Source: WINSTA.dll.4.dr	Static PE information: section name: .buzyfh
Source: WINSTA.dll.4.dr	Static PE information: section name: .towo
Source: WINSTA.dll.4.dr	Static PE information: section name: .omwdbg
Source: WINSTA.dll.4.dr	Static PE information: section name: .virw
Source: WINSTA.dll.4.dr	Static PE information: section name: .bck
Source: WINSTA.dll.4.dr	Static PE information: section name: .mbhfb
Source: WINSTA.dll.4.dr	Static PE information: section name: .kix
Source: WINSTA.dll.4.dr	Static PE information: section name: .gurzs
Source: WINSTA.dll.4.dr	Static PE information: section name: .dzdoj
Source: WINSTA.dll.4.dr	Static PE information: section name: .egret
Source: WINSTA.dll.4.dr	Static PE information: section name: .ftpyc
Source: WINSTA.dll.4.dr	Static PE information: section name: .qrc
Source: WINSTA.dll.4.dr	Static PE information: section name: .tnnx
Source: WINSTA.dll.4.dr	Static PE information: section name: .vsjhk
Source: WINSTA.dll.4.dr	Static PE information: section name: .fmswwe
Source: WINSTA.dll.4.dr	Static PE information: section name: .zfhn
Source: WINSTA.dll.4.dr	Static PE information: section name: .ejdgrp
Source: WINSTA.dll.4.dr	Static PE information: section name: .soyat
Source: WINSTA.dll.4.dr	Static PE information: section name: .jlil
Source: WINSTA.dll.4.dr	Static PE information: section name: .bojgf
Source: WINSTA.dll.4.dr	Static PE information: section name: .gvsnik
Source: WINSTA.dll.4.dr	Static PE information: section name: .lsc
Source: WINSTA.dll.4.dr	Static PE information: section name: .uepvem
Source: WINSTA.dll.4.dr	Static PE information: section name: .don
Source: WINSTA.dll.4.dr	Static PE information: section name: .dqju
Source: WINSTA.dll.4.dr	Static PE information: section name: .qmgrql
Source: WINSTA.dll.4.dr	Static PE information: section name: .cjrd
Source: WINSTA.dll.4.dr	Static PE information: section name: .tfmzf
Source: OLEACC.dll.4.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.4.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.4.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.4.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.4.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.4.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.4.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.4.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.4.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.4.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.4.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.4.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.4.dr	Static PE information: section name: .wualk
Source: OLEACC.dll.4.dr	Static PE information: section name: .qdxz
Source: OLEACC.dll.4.dr	Static PE information: section name: .rkyg
Source: OLEACC.dll.4.dr	Static PE information: section name: .psul
Source: OLEACC.dll.4.dr	Static PE information: section name: .pyjm
Source: OLEACC.dll.4.dr	Static PE information: section name: .eoadme
Source: OLEACC.dll.4.dr	Static PE information: section name: .fnz
Source: OLEACC.dll.4.dr	Static PE information: section name: .gwheg
Source: OLEACC.dll.4.dr	Static PE information: section name: .fcd
Source: OLEACC.dll.4.dr	Static PE information: section name: .dwk
Source: OLEACC.dll.4.dr	Static PE information: section name: .hgy
Source: OLEACC.dll.4.dr	Static PE information: section name: .nfm
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmfqd
Source: OLEACC.dll.4.dr	Static PE information: section name: .buzyfh
Source: OLEACC.dll.4.dr	Static PE information: section name: .towo
Source: OLEACC.dll.4.dr	Static PE information: section name: .omwdbg
Source: OLEACC.dll.4.dr	Static PE information: section name: .virw
Source: OLEACC.dll.4.dr	Static PE information: section name: .bck
Source: OLEACC.dll.4.dr	Static PE information: section name: .mbhfb
Source: OLEACC.dll.4.dr	Static PE information: section name: .kix
Source: OLEACC.dll.4.dr	Static PE information: section name: .gurzs
Source: OLEACC.dll.4.dr	Static PE information: section name: .dzdoj
Source: OLEACC.dll.4.dr	Static PE information: section name: .egret
Source: OLEACC.dll.4.dr	Static PE information: section name: .ftpyc
Source: OLEACC.dll.4.dr	Static PE information: section name: .qrc
Source: OLEACC.dll.4.dr	Static PE information: section name: .tnnx
Source: OLEACC.dll.4.dr	Static PE information: section name: .vsjhk
Source: OLEACC.dll.4.dr	Static PE information: section name: .fmswwe
Source: OLEACC.dll.4.dr	Static PE information: section name: .zfhn
Source: OLEACC.dll.4.dr	Static PE information: section name: .ejdgrp
Source: OLEACC.dll.4.dr	Static PE information: section name: .soyat
Source: OLEACC.dll.4.dr	Static PE information: section name: .jlil
Source: OLEACC.dll.4.dr	Static PE information: section name: .bojgf
Source: OLEACC.dll.4.dr	Static PE information: section name: .gvsnik
Source: OLEACC.dll.4.dr	Static PE information: section name: .lsc
Source: OLEACC.dll.4.dr	Static PE information: section name: .uepvem
Source: OLEACC.dll.4.dr	Static PE information: section name: .don
Source: OLEACC.dll.4.dr	Static PE information: section name: .dqju
Source: OLEACC.dll.4.dr	Static PE information: section name: .qmgrql
Source: OLEACC.dll.4.dr	Static PE information: section name: .cjrd
Source: OLEACC.dll.4.dr	Static PE information: section name: .pfd

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

PE file contains an invalid checksum

Source: A2qAaSVuU2.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x223a17
Source: DUI70.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x271ee0
Source: UxTheme.dll0.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x228f66
Source: Secur32.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2279c4
Source: ReAgent.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22a27a
Source: WINSTA.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22fc17
Source: XmlLite.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2290e6
Source: OLEACC.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x22356c
Source: UxTheme.dll.4.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2261cf

Binary contains a suspicious time stamp

Source: MusNotificationUx.exe.4.dr

Static PE information: 0x6655844F [Tue May 28 07:14:23 2024 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\Secur32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\VgY\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\r1aQ\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D404F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	41_2_00007FF657D404F8
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	41_2_00007FF657D42884
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D42F5C IsWindowVisible,IsIconic,	41_2_00007FF657D42F5C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D41B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	41_2_00007FF657D41B44
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	41_2_00007FF657D3CF28
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D39A6C IsIconic,GetWindowPlacement,GetWindowRect,	41_2_00007FF657D39A6C
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3CE48 IsIconic,GetWindowPlacement,GetLastError,	41_2_00007FF657D3CE48
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D439A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	41_2_00007FF657D439A0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657D3F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	41_2_00007FF657D3F5A4
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657DBC560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	41_2_00007FF657DBC560

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC81613C

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1392

Thread sleep count: 33 > 30

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8351F4 GetSystemTimeAsFileTime followed by cmp: cmp r9d, 01h and CTI: je 00007FF7BC835362h	24_2_00007FF7BC8351F4
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7D7410 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rsp+20h], 03h and CTI: jne 00007FF7BC7D762Ch	24_2_00007FF7BC7D7410
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618AFF360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF618AFF436h	29_2_00007FF618AFF360

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC80B77C

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,	0_2_000000014005D290
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F4E28
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	24_2_00007FF7BC80E958
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,	24_2_00007FF7BC81B964
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,	24_2_00007FF7BC810638
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7F57FC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,	24_2_00007FF7BC7F6718
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC7E21CC
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,	24_2_00007FF7BC815458
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,	29_2_00007FF618B1A104

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC7DB29C

Source: explorer.exe, 00000004.00000000.266212445.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.302594165.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir""
Source: explorer.exe, 00000004.00000000.272328344.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.303493974.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4028 IsDebuggerPresent,GetCurrentThreadId,GetCurrentThreadId,OutputDebugStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

24_2_00007FF7BC7D4028

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F82940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW,

21_2_00007FF727F82940

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\VgY\mstsc.exe

Code function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,

41_2_00007FF657DAE0FC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F81090 GetProcessHeap,

21_2_00007FF727F81090

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83C80 SetUnhandledExceptionFilter,	21_2_00007FF727F83C80
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Code function: 21_2_00007FF727F83F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FF727F83F04
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC85864C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7BC85864C
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: 24_2_00007FF7BC8583E0 SetUnhandledExceptionFilter,	24_2_00007FF7BC8583E0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14AC0 SetUnhandledExceptionFilter,	29_2_00007FF618B14AC0
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Code function: 29_2_00007FF618B14768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF618B14768
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BF2E0 SetUnhandledExceptionFilter,	34_2_00007FF74A7BF2E0
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7BEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF74A7BEE40
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A2B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00007FF6F232A2B0
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Code function: 36_2_00007FF6F232A4B0 SetUnhandledExceptionFilter,	36_2_00007FF6F232A4B0
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Code function: 41_2_00007FF657E52264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FF657E52264

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: DUI70.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		34_2_00007FF74A7AA5C8

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe

Code function: 36_2_00007FF6F2326264 memset,memset,#345,DialogBoxParamW,DialogBoxParamW,Sleep,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,LoadStringW,LoadStringW,LoadStringW,#344,

36_2_00007FF6F2326264

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC855D8C

Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp, SndVol.exe	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.300560024.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp	Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\VgY\mstsc.exe	Queries volume information: unknown VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	Code function: memset,memset,GetLocaleInfoW,GetLastError,wcstoul,GetLocaleInfoW,GetLastError,GetNumberFormatW,GetLastError,GetProcessHeap,HeapAlloc,GetNumberFormatW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		24_2_00007FF7BC7DCA0C
Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exe	Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,		34_2_00007FF74A7B9EF4

Queries device information via Setup API

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC80B77C

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe

Code function: 21_2_00007FF727F83E10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

21_2_00007FF727F83E10

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

Code function: 24_2_00007FF7BC7D4344 GetTimeZoneInformation,GetLastError,GetSystemTime,SystemTimeToTzSpecificLocalTime,

24_2_00007FF7BC7D4344

Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe

24_2_00007FF7BC80BB70

ID:	492853
Product:	CloudBasic
Start time:	03:36:37
Start date:	29.09.2021
Sample:	A2qAaSVuU2
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f8295446e335b679641637334c99242d
SHA1:	18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256:	96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	FC9474302D7FD9538FC834CE63E1FD5C	290D8D20C7815ABC8918D60E44A9BF9BE063FDE1	D7F76A8DB8CD5CBD47B91536221521A44BF8DD57E72EDF8C9239EB32F6165CCB
C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe	PE32+ executable (GUI) x86-64, for MS Windows	2228E677678848E2FC693199947715E7	7AA34AC0938585EEFA9E0ABC80CCBD4E17651173	9041F1AF7FD9A065B6C69D6CDF95F6FF939BF224C040816A0646540E145B73FF
C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	298E377EADD0706C1D73ADDEB77B8178	525213210DE858C13235C917106BB95C540F79F0	70104ECBFB1142438426E2A5A0A4D7F3A50F65205F546CCF887A148065DB3CD4
C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe	PE32+ executable (GUI) x86-64, for MS Windows	6A3F2F3C36FE45A87E3BFA80B6D92E07	8C211767AD8393F9F184FC926FE3B8913F414289	069608FF0FF5918681A80CF7603275DC6CD7D416A73D033D19962B0F0F1E1EAC
C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe	PE32+ executable (GUI) x86-64, for MS Windows	114A55D75AC7447F012B6D8EC8B1F7FC	37D5636D940D0A948000B94C84AD6C41162E593F	E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	CB757D9BD0E289A106808C0230A026A6	1F11AE588A68B3A2A29668CBD5A0A8A445E4938F	450A946EC012C1311B599992FD920623C478F9B69FE246296AD6F8E9B57D0581
C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe	PE32+ executable (GUI) x86-64, for MS Windows	F97BE20B374457236666607EE4BA7F7F	378D5ADAB450032CBD086A419C07DF8278FF4F32	72A31AEB7655343C7112085DFD49A2D5F1A6F1191D8F91A96BC446DE932724EA
C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0CA5F4D66EBB41C5D3F7E5A6D341F77F	3894DC22432580634AD98F990355CF0C15F10DD8	31FA6F8CCF9DD4024AF161774599C6196118660437B4149DCDE28026B7A2478E
C:\Users\user\AppData\Local\QiP6c\SndVol.exe	PE32+ executable (GUI) x86-64, for MS Windows	CDD7C7DF2D0859AC3F4088423D11BD08	128789A2EA904F684B5DF2384BA6EEF4EB60FB8E	D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
C:\Users\user\AppData\Local\QiP6c\UxTheme.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	7F591E3E13727BC65D9343A0424DC251	FB577F41F44AC64FFCAA911A382786B19BAC6DD5	9C68174FA05C42FD588281AD3ED149DF3673A2932849410AC2E902772752871F
C:\Users\user\AppData\Local\VgY\Secur32.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	DB5938B2BCF055E28A918103006CBCAA	87EFF0B3AE617315DDE7EBA2261EA88B7AF02061	45561012881BCEB066C2F5A47ACA5F80D6463D025DE36DC19F54DB2A6D0DC216
C:\Users\user\AppData\Local\VgY\mstsc.exe	PE32+ executable (GUI) x86-64, for MS Windows	3FBB5CD8829E9533D0FF5819DB0444C0	A4A6E4E50421E57EA4745BA44568B107A9369447	043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe	PE32+ executable (GUI) x86-64, for MS Windows	5B9BB7B6DD9A81D42F057BA252DC3B63	EC0699019DF4B9BC7D12C4B3CAFC4963210B5C7A	4348A9C263028C665AA486B08DDD22BC7F3879B0A89765DA5A0F4AECD0A1224C
C:\Users\user\AppData\Local\r1aQ\UxTheme.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4D29023178FD2D10CB3ACE4885820458	140E9C96A2D4A8BAC949B02FB928E0FF76754B6E	FEA11ED22EBAA8A456516620C8B73281104BE7E328AD6FE82C9E013216E3EF7A
C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe	PE32+ executable (GUI) x86-64, for MS Windows	97411B8A84E5980E509E500C3209E5C0	23398F8DA469DEAF10C32773062A6A62B7B004B4	2C968556FCAD7EBB9A866B21A9F3F3DFCD0CA490CAF8F6B2ECDB423B9D24D3EF
C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	447058F8460FC604A0852CCD62462C97	E2B5CE7A28224F839FA0B4A153F6B01A8C70586E	B0BBEEB74A6BAE9B3AAB49327F807FEE63018C92342E4CBFA3B2666F2AFAB0F0
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	F4F1FA09A467998A8BCD1E6EA05488A7	CB33AC91E6108330488B353C5BBE786087F35AD3	D639226D41D26952376E2C91BFD87D04BF284E895A4D9446FEE48F53F37519C9

Windows Analysis Report A2qAaSVuU2

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Domains