Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report A2qAaSVuU2

Overview

General Information

Sample Name:A2qAaSVuU2 (renamed file extension from none to dll)
Analysis ID:492853
MD5:f8295446e335b679641637334c99242d
SHA1:18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256:96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3104 cmdline: loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 5772 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 3332 cmdline: rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2588 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • SysResetErr.exe (PID: 2876 cmdline: C:\Windows\system32\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • SysResetErr.exe (PID: 484 cmdline: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • RecoveryDrive.exe (PID: 5932 cmdline: C:\Windows\system32\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)
        • RecoveryDrive.exe (PID: 6092 cmdline: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe MD5: 2228E677678848E2FC693199947715E7)
        • MusNotificationUx.exe (PID: 4756 cmdline: C:\Windows\system32\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • MusNotificationUx.exe (PID: 3940 cmdline: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe MD5: 114A55D75AC7447F012B6D8EC8B1F7FC)
        • SndVol.exe (PID: 3532 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 1208 cmdline: C:\Users\user\AppData\Local\QiP6c\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • EhStorAuthn.exe (PID: 3016 cmdline: C:\Windows\system32\EhStorAuthn.exe MD5: 5B9BB7B6DD9A81D42F057BA252DC3B63)
        • EhStorAuthn.exe (PID: 2424 cmdline: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe MD5: 5B9BB7B6DD9A81D42F057BA252DC3B63)
        • mstsc.exe (PID: 5972 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 5668 cmdline: C:\Users\user\AppData\Local\VgY\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
    • rundll32.exe (PID: 2436 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 800 cmdline: rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 6 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: A2qAaSVuU2.dllVirustotal: Detection: 64%Perma Link
            Source: A2qAaSVuU2.dllMetadefender: Detection: 62%Perma Link
            Source: A2qAaSVuU2.dllReversingLabs: Detection: 84%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: A2qAaSVuU2.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\VgY\Secur32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: A2qAaSVuU2.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\QiP6c\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\VgY\Secur32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80A0C4 CryptReleaseContext,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80998C GetProcessHeap,HeapFree,CryptReleaseContext,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC809A24 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80AC28 CryptGetUserKey,GetLastError,CryptDestroyKey,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8087EC UuidCreate,UuidToStringW,CryptAcquireContextW,GetLastError,GetProcessHeap,HeapFree,RpcStringFreeW,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80A198 CryptExportKey,GetLastError,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapFree,CryptDestroyKey,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8082F0 CryptGenKey,GetLastError,CryptDestroyKey,GetProcessHeap,HeapAlloc,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B18290 RtlNtStatusToDosError,BCryptGetProperty,RtlNtStatusToDosError,RtlNtStatusToDosError,
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2325B64 CryptProtectData,RegCreateKeyExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,LocalFree,
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2325DD8 memset,RegOpenKeyW,RegQueryValueExW,LocalAlloc,RegQueryValueExW,RegCloseKey,LocalFree,CryptUnprotectData,LocalFree,LocalFree,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DAF52C CryptProtectData,LocalAlloc,LocalFree,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DAF8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,
            Source: A2qAaSVuU2.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
            Source: Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
            Source: Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
            Source: Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
            Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
            Source: Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
            Source: Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
            Source: Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
            Source: Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
            Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F23211E0 RegisterTraceGuidsW,CommandLineToArgvW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,LocalAlloc,LocalFree,UnregisterClassW,LocalFree,UnregisterDeviceNotification,GetLastError,FindWindowW,SendMessageW,memset,RegisterClassExW,CreateWindowExW,GetLastError,ShowWindow,memset,RegisterDeviceNotificationW,GetLastError,TranslateMessage,DispatchMessageW,GetMessageW,GetLastError,UnregisterTraceGuids,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DB29C memset,GetSystemWindowsDirectoryW,GetLastError,memset,GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapFree,memset,GetVolumeInformationW,LoadStringW,GetProcessHeap,HeapFree,
            Source: SndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.micro
            Source: unknownDNS traffic detected: queries for: clientconfig.passport.net

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC804064 GetProcessHeap,HeapAlloc,memmove,CryptImportKey,GetLastError,CryptImportKey,GetLastError,CryptImportKey,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8043E0 CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,CryptEncrypt,CryptDecrypt,GetLastError,CryptDestroyKey,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8084E4 CryptImportKey,GetLastError,CryptImportKey,CryptExportKey,GetProcessHeap,HeapAlloc,CryptExportKey,GetProcessHeap,HeapAlloc,memmove,GetProcessHeap,HeapFree,CryptDestroyKey,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CryptReleaseContext,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007EA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400286B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006EB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400276C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FEC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EED0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B6E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053F20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022730
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140029780
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018F80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003EFB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400067B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400667D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060FE0
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F81424
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC821DAC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D8D98
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D7DE0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC832DE0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC846D24
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7EBD70
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC842EA8
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC845EB0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7EAEEC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F4E28
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D1E50
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81BE40
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC816E74
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F6FC4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC807FD4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82DFF0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DFFE8
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F2FE8
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D6000
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D8010
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC819000
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83EF24
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82EF40
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC830F40
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E0F74
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FC0A0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7EE0A0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83D0C0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7EF0F0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8260E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83E104
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84F020
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC804064
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D7058
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC802074
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84A080
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E19A0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8409B0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8009C4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FF9F0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E89F0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D7A00
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FE9FC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DCA0C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC827A00
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81B964
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F8980
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC823980
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D9AB4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84FA9C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E9AE0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7ECAF0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC837B10
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC831B10
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC834B14
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81AAFC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC813A30
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F3A1C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82DA40
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC838A90
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84DBA0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D6BDC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC833C08
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F9B24
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80FB18
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80BB70
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC819B58
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E1CAC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DBCE0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FFCF0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7EFC40
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC829C70
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FBC58
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC830C90
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC808C80
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E85EC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC831608
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC814610
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E3530
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC832590
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC841578
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D8590
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FA6F4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC810638
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83566C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F7684
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D568C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8227A0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DA7C0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC847808
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F57FC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84A810
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F6718
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82474C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC801740
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D273C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7FB76C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82F790
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D8790
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80B77C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83F780
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84F780
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82089C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8398E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8491D0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E21CC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80E1D8
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E720C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC836200
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81012C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E1130
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC839170
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC857160
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84517C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DB29C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC834298
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D52AC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8442D4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DD2E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8282F0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8012EC
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F224C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC813270
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC809264
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7ED290
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84E3E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84340C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC821320
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC812350
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DF378
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8384A4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82A4E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC82E4E0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8084E4
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC83B510
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DC430
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80343C
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F4454
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B019F0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFA9EC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFD9E4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF71D8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFB5C0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFC5B8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFCE18
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0E5DC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B04208
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B109E8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF61FC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B03570
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0ED88
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B169A8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0CDA8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0A16C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0C570
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFD6E4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B07EE0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0C318
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFBEC4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0BEB8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0A6C8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B02720
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B07720
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B186D8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFA26C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B11688
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFC25C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF67F4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFD3E8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF9FE8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFCBE4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0AC0C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B007D8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B05C2C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B08BCC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFB80C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B083E0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFBB68
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF4760
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFF360
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B06754
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0BBAC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B1C3B4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0F33C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B047A8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFB38C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFE38C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B06B7C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFECE8
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFDCE4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B03CE0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B044C4
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B11130
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AF9D28
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0F8CC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFC908
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B01100
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFACFC
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B06048
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFE040
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFB03C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B11CB0
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0944C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B1044C
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0D054
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B04C80
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B0A070
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7B03A0
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7B2BD8
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7B3718
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7B0CA8
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7BC4D0
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7A44E8
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7A3514
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7A3080
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7BB088
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7AA1A0
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7AA5C8
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7A8310
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7B4F10
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7A6218
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2321B80
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2324600
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2328BC8
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2322CD0
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F23241D8
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F23211E0
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D464DC
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D484C0
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D4A858
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D48060
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D35410
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D477C0
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D36B94
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D74320
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D512E0
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D34EC4
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D4EAB4
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DC1690
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D3DA8C
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D4CE08
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D435EC
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D48DF0
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D439A0
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: String function: 00007FF7BC81CA8C appears 41 times
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: String function: 00007FF7BC7DE9C4 appears 36 times
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: String function: 00007FF7BC80D0A8 appears 57 times
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: String function: 00007FF7BC7D3D44 appears 916 times
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: String function: 00007FF7BC7D3B08 appears 48 times
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DFFE8 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlFreeHeap,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81A090 CreateFileW,GetLastError,GetProcessHeap,HeapAlloc,NtQueryInformationFile,NtOpenProcess,NtQueryInformationProcess,GetProcessHeap,HeapAlloc,NtQueryInformationProcess,NtClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81A9C8 memset,CreateFileW,NtClose,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81A984 NtReadFile,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81AAFC GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,GetLastError,RtlImageNtHeader,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,memset,WriteFile,GetLastError,GetProcessHeap,HeapFree,NtClose,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FlushFileBuffers,GetLastError,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC819B58 memset,NtWriteFile,NtReadFile,NtWriteFile,NtWriteFile,NtWriteFile,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC855C64 NtShutdownSystem,InitiateSystemShutdownExW,GetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81C56C NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D273C memset,memset,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,GetFileAttributesW,GetProcessHeap,HeapFree,GetFileAttributesW,memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapAlloc,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetEvent,NtPowerInformation,PowerCreateRequest,PowerSetRequest,PowerSetRequest,SetThreadExecutionState,memset,GetSystemWindowsDirectoryW,GetLastError,SetThreadExecutionState,PowerClearRequest,CloseHandle,SetEvent,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC84E3E0 memset,RtlGetVersion,GetCurrentProcess,SetPriorityClass,GetLastError,NtSetInformationProcess,NtSetInformationThread,NtSetInformationProcess,NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC812350 memset,memset,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetLastError,SetLastError,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,memset,UuidCreate,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81A38C GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtSetInformationThread,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80FE20: SetLastError,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetProcessHeap,HeapFree,SetLastError,
            Source: RecoveryDrive.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: RecoveryDrive.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: RecoveryDrive.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EhStorAuthn.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EhStorAuthn.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EhStorAuthn.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EhStorAuthn.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: EhStorAuthn.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Magnify.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Magnify.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Magnify.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
            Source: A2qAaSVuU2.dllStatic PE information: Number of sections : 58 > 10
            Source: DUI70.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 59 > 10
            Source: Secur32.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: ReAgent.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: WINSTA.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: XmlLite.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: OLEACC.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: UxTheme.dll.4.drStatic PE information: Number of sections : 59 > 10
            Source: A2qAaSVuU2.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ReAgent.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Secur32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WINSTA.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: A2qAaSVuU2.dllVirustotal: Detection: 64%
            Source: A2qAaSVuU2.dllMetadefender: Detection: 62%
            Source: A2qAaSVuU2.dllReversingLabs: Detection: 84%
            Source: A2qAaSVuU2.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\RecoveryDrive.exe C:\Windows\system32\RecoveryDrive.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MusNotificationUx.exe C:\Windows\system32\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\QiP6c\SndVol.exe C:\Users\user\AppData\Local\QiP6c\SndVol.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\EhStorAuthn.exe C:\Windows\system32\EhStorAuthn.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\VgY\mstsc.exe C:\Users\user\AppData\Local\VgY\mstsc.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81CBF0 GetCurrentThread,OpenThreadToken,GetLastError,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,AdjustTokenPrivileges,GetLastError,CloseHandle,GetProcessHeap,HeapFree,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC816644 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,GetLastError,AdjustTokenPrivileges,SetThreadToken,CloseHandle,CloseHandle,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC811900 AdjustTokenPrivileges,GetLastError,CloseHandle,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B16588 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@40/17@1/0
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F81424 GetCommandLineW,CommandLineToArgvW,_wcsicmp,_wcsicmp,CoInitialize,CoCreateInstance,memset,RegGetValueW,_wcsicmp,GetModuleHandleW,GetModuleHandleW,LoadStringW,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,new,free,GetMessageW,TranslateMessage,DispatchMessageW,GetMessageW,?Destroy@Element@DirectUI@@QEAAJ_N@Z,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC855070 FormatMessageW,GetLastError,LocalFree,SysFreeString,LeaveCriticalSection,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeMutant created: \Sessions\1\BaseNamedObjects\{79834223-9b8b-fb74-ddfa-b0860ef73558}
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeMutant created: \Sessions\1\BaseNamedObjects\{e1b7b966-7536-5d87-307b-f7b104c280aa}
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F82128 LoadResource,LockResource,SizeofResource,
            Source: A2qAaSVuU2.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: A2qAaSVuU2.dllStatic file information: File size 2232320 > 1048576
            Source: A2qAaSVuU2.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
            Source: Binary string: RecoveryDrive.pdbGCTL source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
            Source: Binary string: EhStorAuthn.pdbGCTL source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
            Source: Binary string: MusNotificationUx.pdb source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
            Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
            Source: Binary string: MusNotificationUx.pdbGCTL source: MusNotificationUx.exe, 0000001D.00000000.420648066.00007FF618B1E000.00000002.00020000.sdmp
            Source: Binary string: EhStorAuthn.pdb source: EhStorAuthn.exe, 00000024.00000000.479708302.00007FF6F232B000.00000002.00020000.sdmp
            Source: Binary string: RecoveryDrive.pdb source: RecoveryDrive.exe, 00000018.00000000.393437519.00007FF7BC85C000.00000002.00020000.sdmp
            Source: Binary string: SndVol.pdb source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmp
            Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 00000015.00000000.365066669.00007FF727F86000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: A2qAaSVuU2.dllStatic PE information: section name: .qkm
            Source: A2qAaSVuU2.dllStatic PE information: section name: .cvjb
            Source: A2qAaSVuU2.dllStatic PE information: section name: .tlmkv
            Source: A2qAaSVuU2.dllStatic PE information: section name: .wucsxe
            Source: A2qAaSVuU2.dllStatic PE information: section name: .fltwtj
            Source: A2qAaSVuU2.dllStatic PE information: section name: .sfplio
            Source: A2qAaSVuU2.dllStatic PE information: section name: .rpg
            Source: A2qAaSVuU2.dllStatic PE information: section name: .bewzc
            Source: A2qAaSVuU2.dllStatic PE information: section name: .vksvaw
            Source: A2qAaSVuU2.dllStatic PE information: section name: .wmhg
            Source: A2qAaSVuU2.dllStatic PE information: section name: .kswemc
            Source: A2qAaSVuU2.dllStatic PE information: section name: .kaxfk
            Source: A2qAaSVuU2.dllStatic PE information: section name: .wualk
            Source: A2qAaSVuU2.dllStatic PE information: section name: .qdxz
            Source: A2qAaSVuU2.dllStatic PE information: section name: .rkyg
            Source: A2qAaSVuU2.dllStatic PE information: section name: .psul
            Source: A2qAaSVuU2.dllStatic PE information: section name: .pyjm
            Source: A2qAaSVuU2.dllStatic PE information: section name: .eoadme
            Source: A2qAaSVuU2.dllStatic PE information: section name: .fnz
            Source: A2qAaSVuU2.dllStatic PE information: section name: .gwheg
            Source: A2qAaSVuU2.dllStatic PE information: section name: .fcd
            Source: A2qAaSVuU2.dllStatic PE information: section name: .dwk
            Source: A2qAaSVuU2.dllStatic PE information: section name: .hgy
            Source: A2qAaSVuU2.dllStatic PE information: section name: .nfm
            Source: A2qAaSVuU2.dllStatic PE information: section name: .qmfqd
            Source: A2qAaSVuU2.dllStatic PE information: section name: .buzyfh
            Source: A2qAaSVuU2.dllStatic PE information: section name: .towo
            Source: A2qAaSVuU2.dllStatic PE information: section name: .omwdbg
            Source: A2qAaSVuU2.dllStatic PE information: section name: .virw
            Source: A2qAaSVuU2.dllStatic PE information: section name: .bck
            Source: A2qAaSVuU2.dllStatic PE information: section name: .mbhfb
            Source: A2qAaSVuU2.dllStatic PE information: section name: .kix
            Source: A2qAaSVuU2.dllStatic PE information: section name: .gurzs
            Source: A2qAaSVuU2.dllStatic PE information: section name: .dzdoj
            Source: A2qAaSVuU2.dllStatic PE information: section name: .egret
            Source: A2qAaSVuU2.dllStatic PE information: section name: .ftpyc
            Source: A2qAaSVuU2.dllStatic PE information: section name: .qrc
            Source: A2qAaSVuU2.dllStatic PE information: section name: .tnnx
            Source: A2qAaSVuU2.dllStatic PE information: section name: .vsjhk
            Source: A2qAaSVuU2.dllStatic PE information: section name: .fmswwe
            Source: A2qAaSVuU2.dllStatic PE information: section name: .zfhn
            Source: A2qAaSVuU2.dllStatic PE information: section name: .ejdgrp
            Source: A2qAaSVuU2.dllStatic PE information: section name: .soyat
            Source: A2qAaSVuU2.dllStatic PE information: section name: .jlil
            Source: A2qAaSVuU2.dllStatic PE information: section name: .bojgf
            Source: A2qAaSVuU2.dllStatic PE information: section name: .gvsnik
            Source: A2qAaSVuU2.dllStatic PE information: section name: .lsc
            Source: A2qAaSVuU2.dllStatic PE information: section name: .uepvem
            Source: A2qAaSVuU2.dllStatic PE information: section name: .don
            Source: A2qAaSVuU2.dllStatic PE information: section name: .dqju
            Source: A2qAaSVuU2.dllStatic PE information: section name: .qmgrql
            Source: A2qAaSVuU2.dllStatic PE information: section name: .cjrd
            Source: SysResetErr.exe.4.drStatic PE information: section name: .imrsiv
            Source: MusNotificationUx.exe.4.drStatic PE information: section name: .imrsiv
            Source: MusNotificationUx.exe.4.drStatic PE information: section name: .didat
            Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
            Source: SndVol.exe.4.drStatic PE information: section name: .didat
            Source: mstsc.exe.4.drStatic PE information: section name: .didat
            Source: DisplaySwitch.exe.4.drStatic PE information: section name: .imrsiv
            Source: DUI70.dll.4.drStatic PE information: section name: .qkm
            Source: DUI70.dll.4.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.4.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.4.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.4.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.4.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.4.drStatic PE information: section name: .rpg
            Source: DUI70.dll.4.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.4.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.4.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.4.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.4.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.4.drStatic PE information: section name: .wualk
            Source: DUI70.dll.4.drStatic PE information: section name: .qdxz
            Source: DUI70.dll.4.drStatic PE information: section name: .rkyg
            Source: DUI70.dll.4.drStatic PE information: section name: .psul
            Source: DUI70.dll.4.drStatic PE information: section name: .pyjm
            Source: DUI70.dll.4.drStatic PE information: section name: .eoadme
            Source: DUI70.dll.4.drStatic PE information: section name: .fnz
            Source: DUI70.dll.4.drStatic PE information: section name: .gwheg
            Source: DUI70.dll.4.drStatic PE information: section name: .fcd
            Source: DUI70.dll.4.drStatic PE information: section name: .dwk
            Source: DUI70.dll.4.drStatic PE information: section name: .hgy
            Source: DUI70.dll.4.drStatic PE information: section name: .nfm
            Source: DUI70.dll.4.drStatic PE information: section name: .qmfqd
            Source: DUI70.dll.4.drStatic PE information: section name: .buzyfh
            Source: DUI70.dll.4.drStatic PE information: section name: .towo
            Source: DUI70.dll.4.drStatic PE information: section name: .omwdbg
            Source: DUI70.dll.4.drStatic PE information: section name: .virw
            Source: DUI70.dll.4.drStatic PE information: section name: .bck
            Source: DUI70.dll.4.drStatic PE information: section name: .mbhfb
            Source: DUI70.dll.4.drStatic PE information: section name: .kix
            Source: DUI70.dll.4.drStatic PE information: section name: .gurzs
            Source: DUI70.dll.4.drStatic PE information: section name: .dzdoj
            Source: DUI70.dll.4.drStatic PE information: section name: .egret
            Source: DUI70.dll.4.drStatic PE information: section name: .ftpyc
            Source: DUI70.dll.4.drStatic PE information: section name: .qrc
            Source: DUI70.dll.4.drStatic PE information: section name: .tnnx
            Source: DUI70.dll.4.drStatic PE information: section name: .vsjhk
            Source: DUI70.dll.4.drStatic PE information: section name: .fmswwe
            Source: DUI70.dll.4.drStatic PE information: section name: .zfhn
            Source: DUI70.dll.4.drStatic PE information: section name: .ejdgrp
            Source: DUI70.dll.4.drStatic PE information: section name: .soyat
            Source: DUI70.dll.4.drStatic PE information: section name: .jlil
            Source: DUI70.dll.4.drStatic PE information: section name: .bojgf
            Source: DUI70.dll.4.drStatic PE information: section name: .gvsnik
            Source: DUI70.dll.4.drStatic PE information: section name: .lsc
            Source: DUI70.dll.4.drStatic PE information: section name: .uepvem
            Source: DUI70.dll.4.drStatic PE information: section name: .don
            Source: DUI70.dll.4.drStatic PE information: section name: .dqju
            Source: DUI70.dll.4.drStatic PE information: section name: .qmgrql
            Source: DUI70.dll.4.drStatic PE information: section name: .cjrd
            Source: DUI70.dll.4.drStatic PE information: section name: .qnro
            Source: ReAgent.dll.4.drStatic PE information: section name: .qkm
            Source: ReAgent.dll.4.drStatic PE information: section name: .cvjb
            Source: ReAgent.dll.4.drStatic PE information: section name: .tlmkv
            Source: ReAgent.dll.4.drStatic PE information: section name: .wucsxe
            Source: ReAgent.dll.4.drStatic PE information: section name: .fltwtj
            Source: ReAgent.dll.4.drStatic PE information: section name: .sfplio
            Source: ReAgent.dll.4.drStatic PE information: section name: .rpg
            Source: ReAgent.dll.4.drStatic PE information: section name: .bewzc
            Source: ReAgent.dll.4.drStatic PE information: section name: .vksvaw
            Source: ReAgent.dll.4.drStatic PE information: section name: .wmhg
            Source: ReAgent.dll.4.drStatic PE information: section name: .kswemc
            Source: ReAgent.dll.4.drStatic PE information: section name: .kaxfk
            Source: ReAgent.dll.4.drStatic PE information: section name: .wualk
            Source: ReAgent.dll.4.drStatic PE information: section name: .qdxz
            Source: ReAgent.dll.4.drStatic PE information: section name: .rkyg
            Source: ReAgent.dll.4.drStatic PE information: section name: .psul
            Source: ReAgent.dll.4.drStatic PE information: section name: .pyjm
            Source: ReAgent.dll.4.drStatic PE information: section name: .eoadme
            Source: ReAgent.dll.4.drStatic PE information: section name: .fnz
            Source: ReAgent.dll.4.drStatic PE information: section name: .gwheg
            Source: ReAgent.dll.4.drStatic PE information: section name: .fcd
            Source: ReAgent.dll.4.drStatic PE information: section name: .dwk
            Source: ReAgent.dll.4.drStatic PE information: section name: .hgy
            Source: ReAgent.dll.4.drStatic PE information: section name: .nfm
            Source: ReAgent.dll.4.drStatic PE information: section name: .qmfqd
            Source: ReAgent.dll.4.drStatic PE information: section name: .buzyfh
            Source: ReAgent.dll.4.drStatic PE information: section name: .towo
            Source: ReAgent.dll.4.drStatic PE information: section name: .omwdbg
            Source: ReAgent.dll.4.drStatic PE information: section name: .virw
            Source: ReAgent.dll.4.drStatic PE information: section name: .bck
            Source: ReAgent.dll.4.drStatic PE information: section name: .mbhfb
            Source: ReAgent.dll.4.drStatic PE information: section name: .kix
            Source: ReAgent.dll.4.drStatic PE information: section name: .gurzs
            Source: ReAgent.dll.4.drStatic PE information: section name: .dzdoj
            Source: ReAgent.dll.4.drStatic PE information: section name: .egret
            Source: ReAgent.dll.4.drStatic PE information: section name: .ftpyc
            Source: ReAgent.dll.4.drStatic PE information: section name: .qrc
            Source: ReAgent.dll.4.drStatic PE information: section name: .tnnx
            Source: ReAgent.dll.4.drStatic PE information: section name: .vsjhk
            Source: ReAgent.dll.4.drStatic PE information: section name: .fmswwe
            Source: ReAgent.dll.4.drStatic PE information: section name: .zfhn
            Source: ReAgent.dll.4.drStatic PE information: section name: .ejdgrp
            Source: ReAgent.dll.4.drStatic PE information: section name: .soyat
            Source: ReAgent.dll.4.drStatic PE information: section name: .jlil
            Source: ReAgent.dll.4.drStatic PE information: section name: .bojgf
            Source: ReAgent.dll.4.drStatic PE information: section name: .gvsnik
            Source: ReAgent.dll.4.drStatic PE information: section name: .lsc
            Source: ReAgent.dll.4.drStatic PE information: section name: .uepvem
            Source: ReAgent.dll.4.drStatic PE information: section name: .don
            Source: ReAgent.dll.4.drStatic PE information: section name: .dqju
            Source: ReAgent.dll.4.drStatic PE information: section name: .qmgrql
            Source: ReAgent.dll.4.drStatic PE information: section name: .cjrd
            Source: ReAgent.dll.4.drStatic PE information: section name: .lkgno
            Source: XmlLite.dll.4.drStatic PE information: section name: .qkm
            Source: XmlLite.dll.4.drStatic PE information: section name: .cvjb
            Source: XmlLite.dll.4.drStatic PE information: section name: .tlmkv
            Source: XmlLite.dll.4.drStatic PE information: section name: .wucsxe
            Source: XmlLite.dll.4.drStatic PE information: section name: .fltwtj
            Source: XmlLite.dll.4.drStatic PE information: section name: .sfplio
            Source: XmlLite.dll.4.drStatic PE information: section name: .rpg
            Source: XmlLite.dll.4.drStatic PE information: section name: .bewzc
            Source: XmlLite.dll.4.drStatic PE information: section name: .vksvaw
            Source: XmlLite.dll.4.drStatic PE information: section name: .wmhg
            Source: XmlLite.dll.4.drStatic PE information: section name: .kswemc
            Source: XmlLite.dll.4.drStatic PE information: section name: .kaxfk
            Source: XmlLite.dll.4.drStatic PE information: section name: .wualk
            Source: XmlLite.dll.4.drStatic PE information: section name: .qdxz
            Source: XmlLite.dll.4.drStatic PE information: section name: .rkyg
            Source: XmlLite.dll.4.drStatic PE information: section name: .psul
            Source: XmlLite.dll.4.drStatic PE information: section name: .pyjm
            Source: XmlLite.dll.4.drStatic PE information: section name: .eoadme
            Source: XmlLite.dll.4.drStatic PE information: section name: .fnz
            Source: XmlLite.dll.4.drStatic PE information: section name: .gwheg
            Source: XmlLite.dll.4.drStatic PE information: section name: .fcd
            Source: XmlLite.dll.4.drStatic PE information: section name: .dwk
            Source: XmlLite.dll.4.drStatic PE information: section name: .hgy
            Source: XmlLite.dll.4.drStatic PE information: section name: .nfm
            Source: XmlLite.dll.4.drStatic PE information: section name: .qmfqd
            Source: XmlLite.dll.4.drStatic PE information: section name: .buzyfh
            Source: XmlLite.dll.4.drStatic PE information: section name: .towo
            Source: XmlLite.dll.4.drStatic PE information: section name: .omwdbg
            Source: XmlLite.dll.4.drStatic PE information: section name: .virw
            Source: XmlLite.dll.4.drStatic PE information: section name: .bck
            Source: XmlLite.dll.4.drStatic PE information: section name: .mbhfb
            Source: XmlLite.dll.4.drStatic PE information: section name: .kix
            Source: XmlLite.dll.4.drStatic PE information: section name: .gurzs
            Source: XmlLite.dll.4.drStatic PE information: section name: .dzdoj
            Source: XmlLite.dll.4.drStatic PE information: section name: .egret
            Source: XmlLite.dll.4.drStatic PE information: section name: .ftpyc
            Source: XmlLite.dll.4.drStatic PE information: section name: .qrc
            Source: XmlLite.dll.4.drStatic PE information: section name: .tnnx
            Source: XmlLite.dll.4.drStatic PE information: section name: .vsjhk
            Source: XmlLite.dll.4.drStatic PE information: section name: .fmswwe
            Source: XmlLite.dll.4.drStatic PE information: section name: .zfhn
            Source: XmlLite.dll.4.drStatic PE information: section name: .ejdgrp
            Source: XmlLite.dll.4.drStatic PE information: section name: .soyat
            Source: XmlLite.dll.4.drStatic PE information: section name: .jlil
            Source: XmlLite.dll.4.drStatic PE information: section name: .bojgf
            Source: XmlLite.dll.4.drStatic PE information: section name: .gvsnik
            Source: XmlLite.dll.4.drStatic PE information: section name: .lsc
            Source: XmlLite.dll.4.drStatic PE information: section name: .uepvem
            Source: XmlLite.dll.4.drStatic PE information: section name: .don
            Source: XmlLite.dll.4.drStatic PE information: section name: .dqju
            Source: XmlLite.dll.4.drStatic PE information: section name: .qmgrql
            Source: XmlLite.dll.4.drStatic PE information: section name: .cjrd
            Source: XmlLite.dll.4.drStatic PE information: section name: .rntf
            Source: UxTheme.dll.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll.4.drStatic PE information: section name: .wualk
            Source: UxTheme.dll.4.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll.4.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll.4.drStatic PE information: section name: .psul
            Source: UxTheme.dll.4.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll.4.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll.4.drStatic PE information: section name: .fnz
            Source: UxTheme.dll.4.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll.4.drStatic PE information: section name: .fcd
            Source: UxTheme.dll.4.drStatic PE information: section name: .dwk
            Source: UxTheme.dll.4.drStatic PE information: section name: .hgy
            Source: UxTheme.dll.4.drStatic PE information: section name: .nfm
            Source: UxTheme.dll.4.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll.4.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll.4.drStatic PE information: section name: .towo
            Source: UxTheme.dll.4.drStatic PE information: section name: .omwdbg
            Source: UxTheme.dll.4.drStatic PE information: section name: .virw
            Source: UxTheme.dll.4.drStatic PE information: section name: .bck
            Source: UxTheme.dll.4.drStatic PE information: section name: .mbhfb
            Source: UxTheme.dll.4.drStatic PE information: section name: .kix
            Source: UxTheme.dll.4.drStatic PE information: section name: .gurzs
            Source: UxTheme.dll.4.drStatic PE information: section name: .dzdoj
            Source: UxTheme.dll.4.drStatic PE information: section name: .egret
            Source: UxTheme.dll.4.drStatic PE information: section name: .ftpyc
            Source: UxTheme.dll.4.drStatic PE information: section name: .qrc
            Source: UxTheme.dll.4.drStatic PE information: section name: .tnnx
            Source: UxTheme.dll.4.drStatic PE information: section name: .vsjhk
            Source: UxTheme.dll.4.drStatic PE information: section name: .fmswwe
            Source: UxTheme.dll.4.drStatic PE information: section name: .zfhn
            Source: UxTheme.dll.4.drStatic PE information: section name: .ejdgrp
            Source: UxTheme.dll.4.drStatic PE information: section name: .soyat
            Source: UxTheme.dll.4.drStatic PE information: section name: .jlil
            Source: UxTheme.dll.4.drStatic PE information: section name: .bojgf
            Source: UxTheme.dll.4.drStatic PE information: section name: .gvsnik
            Source: UxTheme.dll.4.drStatic PE information: section name: .lsc
            Source: UxTheme.dll.4.drStatic PE information: section name: .uepvem
            Source: UxTheme.dll.4.drStatic PE information: section name: .don
            Source: UxTheme.dll.4.drStatic PE information: section name: .dqju
            Source: UxTheme.dll.4.drStatic PE information: section name: .qmgrql
            Source: UxTheme.dll.4.drStatic PE information: section name: .cjrd
            Source: UxTheme.dll.4.drStatic PE information: section name: .voxunw
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qkm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll0.4.drStatic PE information: section name: .rpg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .wualk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll0.4.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .psul
            Source: UxTheme.dll0.4.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fnz
            Source: UxTheme.dll0.4.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fcd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .dwk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .hgy
            Source: UxTheme.dll0.4.drStatic PE information: section name: .nfm
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll0.4.drStatic PE information: section name: .towo
            Source: UxTheme.dll0.4.drStatic PE information: section name: .omwdbg
            Source: UxTheme.dll0.4.drStatic PE information: section name: .virw
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bck
            Source: UxTheme.dll0.4.drStatic PE information: section name: .mbhfb
            Source: UxTheme.dll0.4.drStatic PE information: section name: .kix
            Source: UxTheme.dll0.4.drStatic PE information: section name: .gurzs
            Source: UxTheme.dll0.4.drStatic PE information: section name: .dzdoj
            Source: UxTheme.dll0.4.drStatic PE information: section name: .egret
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ftpyc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qrc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .tnnx
            Source: UxTheme.dll0.4.drStatic PE information: section name: .vsjhk
            Source: UxTheme.dll0.4.drStatic PE information: section name: .fmswwe
            Source: UxTheme.dll0.4.drStatic PE information: section name: .zfhn
            Source: UxTheme.dll0.4.drStatic PE information: section name: .ejdgrp
            Source: UxTheme.dll0.4.drStatic PE information: section name: .soyat
            Source: UxTheme.dll0.4.drStatic PE information: section name: .jlil
            Source: UxTheme.dll0.4.drStatic PE information: section name: .bojgf
            Source: UxTheme.dll0.4.drStatic PE information: section name: .gvsnik
            Source: UxTheme.dll0.4.drStatic PE information: section name: .lsc
            Source: UxTheme.dll0.4.drStatic PE information: section name: .uepvem
            Source: UxTheme.dll0.4.drStatic PE information: section name: .don
            Source: UxTheme.dll0.4.drStatic PE information: section name: .dqju
            Source: UxTheme.dll0.4.drStatic PE information: section name: .qmgrql
            Source: UxTheme.dll0.4.drStatic PE information: section name: .cjrd
            Source: UxTheme.dll0.4.drStatic PE information: section name: .alzpqi
            Source: Secur32.dll.4.drStatic PE information: section name: .qkm
            Source: Secur32.dll.4.drStatic PE information: section name: .cvjb
            Source: Secur32.dll.4.drStatic PE information: section name: .tlmkv
            Source: Secur32.dll.4.drStatic PE information: section name: .wucsxe
            Source: Secur32.dll.4.drStatic PE information: section name: .fltwtj
            Source: Secur32.dll.4.drStatic PE information: section name: .sfplio
            Source: Secur32.dll.4.drStatic PE information: section name: .rpg
            Source: Secur32.dll.4.drStatic PE information: section name: .bewzc
            Source: Secur32.dll.4.drStatic PE information: section name: .vksvaw
            Source: Secur32.dll.4.drStatic PE information: section name: .wmhg
            Source: Secur32.dll.4.drStatic PE information: section name: .kswemc
            Source: Secur32.dll.4.drStatic PE information: section name: .kaxfk
            Source: Secur32.dll.4.drStatic PE information: section name: .wualk
            Source: Secur32.dll.4.drStatic PE information: section name: .qdxz
            Source: Secur32.dll.4.drStatic PE information: section name: .rkyg
            Source: Secur32.dll.4.drStatic PE information: section name: .psul
            Source: Secur32.dll.4.drStatic PE information: section name: .pyjm
            Source: Secur32.dll.4.drStatic PE information: section name: .eoadme
            Source: Secur32.dll.4.drStatic PE information: section name: .fnz
            Source: Secur32.dll.4.drStatic PE information: section name: .gwheg
            Source: Secur32.dll.4.drStatic PE information: section name: .fcd
            Source: Secur32.dll.4.drStatic PE information: section name: .dwk
            Source: Secur32.dll.4.drStatic PE information: section name: .hgy
            Source: Secur32.dll.4.drStatic PE information: section name: .nfm
            Source: Secur32.dll.4.drStatic PE information: section name: .qmfqd
            Source: Secur32.dll.4.drStatic PE information: section name: .buzyfh
            Source: Secur32.dll.4.drStatic PE information: section name: .towo
            Source: Secur32.dll.4.drStatic PE information: section name: .omwdbg
            Source: Secur32.dll.4.drStatic PE information: section name: .virw
            Source: Secur32.dll.4.drStatic PE information: section name: .bck
            Source: Secur32.dll.4.drStatic PE information: section name: .mbhfb
            Source: Secur32.dll.4.drStatic PE information: section name: .kix
            Source: Secur32.dll.4.drStatic PE information: section name: .gurzs
            Source: Secur32.dll.4.drStatic PE information: section name: .dzdoj
            Source: Secur32.dll.4.drStatic PE information: section name: .egret
            Source: Secur32.dll.4.drStatic PE information: section name: .ftpyc
            Source: Secur32.dll.4.drStatic PE information: section name: .qrc
            Source: Secur32.dll.4.drStatic PE information: section name: .tnnx
            Source: Secur32.dll.4.drStatic PE information: section name: .vsjhk
            Source: Secur32.dll.4.drStatic PE information: section name: .fmswwe
            Source: Secur32.dll.4.drStatic PE information: section name: .zfhn
            Source: Secur32.dll.4.drStatic PE information: section name: .ejdgrp
            Source: Secur32.dll.4.drStatic PE information: section name: .soyat
            Source: Secur32.dll.4.drStatic PE information: section name: .jlil
            Source: Secur32.dll.4.drStatic PE information: section name: .bojgf
            Source: Secur32.dll.4.drStatic PE information: section name: .gvsnik
            Source: Secur32.dll.4.drStatic PE information: section name: .lsc
            Source: Secur32.dll.4.drStatic PE information: section name: .uepvem
            Source: Secur32.dll.4.drStatic PE information: section name: .don
            Source: Secur32.dll.4.drStatic PE information: section name: .dqju
            Source: Secur32.dll.4.drStatic PE information: section name: .qmgrql
            Source: Secur32.dll.4.drStatic PE information: section name: .cjrd
            Source: Secur32.dll.4.drStatic PE information: section name: .gfkt
            Source: WINSTA.dll.4.drStatic PE information: section name: .qkm
            Source: WINSTA.dll.4.drStatic PE information: section name: .cvjb
            Source: WINSTA.dll.4.drStatic PE information: section name: .tlmkv
            Source: WINSTA.dll.4.drStatic PE information: section name: .wucsxe
            Source: WINSTA.dll.4.drStatic PE information: section name: .fltwtj
            Source: WINSTA.dll.4.drStatic PE information: section name: .sfplio
            Source: WINSTA.dll.4.drStatic PE information: section name: .rpg
            Source: WINSTA.dll.4.drStatic PE information: section name: .bewzc
            Source: WINSTA.dll.4.drStatic PE information: section name: .vksvaw
            Source: WINSTA.dll.4.drStatic PE information: section name: .wmhg
            Source: WINSTA.dll.4.drStatic PE information: section name: .kswemc
            Source: WINSTA.dll.4.drStatic PE information: section name: .kaxfk
            Source: WINSTA.dll.4.drStatic PE information: section name: .wualk
            Source: WINSTA.dll.4.drStatic PE information: section name: .qdxz
            Source: WINSTA.dll.4.drStatic PE information: section name: .rkyg
            Source: WINSTA.dll.4.drStatic PE information: section name: .psul
            Source: WINSTA.dll.4.drStatic PE information: section name: .pyjm
            Source: WINSTA.dll.4.drStatic PE information: section name: .eoadme
            Source: WINSTA.dll.4.drStatic PE information: section name: .fnz
            Source: WINSTA.dll.4.drStatic PE information: section name: .gwheg
            Source: WINSTA.dll.4.drStatic PE information: section name: .fcd
            Source: WINSTA.dll.4.drStatic PE information: section name: .dwk
            Source: WINSTA.dll.4.drStatic PE information: section name: .hgy
            Source: WINSTA.dll.4.drStatic PE information: section name: .nfm
            Source: WINSTA.dll.4.drStatic PE information: section name: .qmfqd
            Source: WINSTA.dll.4.drStatic PE information: section name: .buzyfh
            Source: WINSTA.dll.4.drStatic PE information: section name: .towo
            Source: WINSTA.dll.4.drStatic PE information: section name: .omwdbg
            Source: WINSTA.dll.4.drStatic PE information: section name: .virw
            Source: WINSTA.dll.4.drStatic PE information: section name: .bck
            Source: WINSTA.dll.4.drStatic PE information: section name: .mbhfb
            Source: WINSTA.dll.4.drStatic PE information: section name: .kix
            Source: WINSTA.dll.4.drStatic PE information: section name: .gurzs
            Source: WINSTA.dll.4.drStatic PE information: section name: .dzdoj
            Source: WINSTA.dll.4.drStatic PE information: section name: .egret
            Source: WINSTA.dll.4.drStatic PE information: section name: .ftpyc
            Source: WINSTA.dll.4.drStatic PE information: section name: .qrc
            Source: WINSTA.dll.4.drStatic PE information: section name: .tnnx
            Source: WINSTA.dll.4.drStatic PE information: section name: .vsjhk
            Source: WINSTA.dll.4.drStatic PE information: section name: .fmswwe
            Source: WINSTA.dll.4.drStatic PE information: section name: .zfhn
            Source: WINSTA.dll.4.drStatic PE information: section name: .ejdgrp
            Source: WINSTA.dll.4.drStatic PE information: section name: .soyat
            Source: WINSTA.dll.4.drStatic PE information: section name: .jlil
            Source: WINSTA.dll.4.drStatic PE information: section name: .bojgf
            Source: WINSTA.dll.4.drStatic PE information: section name: .gvsnik
            Source: WINSTA.dll.4.drStatic PE information: section name: .lsc
            Source: WINSTA.dll.4.drStatic PE information: section name: .uepvem
            Source: WINSTA.dll.4.drStatic PE information: section name: .don
            Source: WINSTA.dll.4.drStatic PE information: section name: .dqju
            Source: WINSTA.dll.4.drStatic PE information: section name: .qmgrql
            Source: WINSTA.dll.4.drStatic PE information: section name: .cjrd
            Source: WINSTA.dll.4.drStatic PE information: section name: .tfmzf
            Source: OLEACC.dll.4.drStatic PE information: section name: .qkm
            Source: OLEACC.dll.4.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll.4.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll.4.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll.4.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll.4.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll.4.drStatic PE information: section name: .rpg
            Source: OLEACC.dll.4.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll.4.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll.4.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll.4.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll.4.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll.4.drStatic PE information: section name: .wualk
            Source: OLEACC.dll.4.drStatic PE information: section name: .qdxz
            Source: OLEACC.dll.4.drStatic PE information: section name: .rkyg
            Source: OLEACC.dll.4.drStatic PE information: section name: .psul
            Source: OLEACC.dll.4.drStatic PE information: section name: .pyjm
            Source: OLEACC.dll.4.drStatic PE information: section name: .eoadme
            Source: OLEACC.dll.4.drStatic PE information: section name: .fnz
            Source: OLEACC.dll.4.drStatic PE information: section name: .gwheg
            Source: OLEACC.dll.4.drStatic PE information: section name: .fcd
            Source: OLEACC.dll.4.drStatic PE information: section name: .dwk
            Source: OLEACC.dll.4.drStatic PE information: section name: .hgy
            Source: OLEACC.dll.4.drStatic PE information: section name: .nfm
            Source: OLEACC.dll.4.drStatic PE information: section name: .qmfqd
            Source: OLEACC.dll.4.drStatic PE information: section name: .buzyfh
            Source: OLEACC.dll.4.drStatic PE information: section name: .towo
            Source: OLEACC.dll.4.drStatic PE information: section name: .omwdbg
            Source: OLEACC.dll.4.drStatic PE information: section name: .virw
            Source: OLEACC.dll.4.drStatic PE information: section name: .bck
            Source: OLEACC.dll.4.drStatic PE information: section name: .mbhfb
            Source: OLEACC.dll.4.drStatic PE information: section name: .kix
            Source: OLEACC.dll.4.drStatic PE information: section name: .gurzs
            Source: OLEACC.dll.4.drStatic PE information: section name: .dzdoj
            Source: OLEACC.dll.4.drStatic PE information: section name: .egret
            Source: OLEACC.dll.4.drStatic PE information: section name: .ftpyc
            Source: OLEACC.dll.4.drStatic PE information: section name: .qrc
            Source: OLEACC.dll.4.drStatic PE information: section name: .tnnx
            Source: OLEACC.dll.4.drStatic PE information: section name: .vsjhk
            Source: OLEACC.dll.4.drStatic PE information: section name: .fmswwe
            Source: OLEACC.dll.4.drStatic PE information: section name: .zfhn
            Source: OLEACC.dll.4.drStatic PE information: section name: .ejdgrp
            Source: OLEACC.dll.4.drStatic PE information: section name: .soyat
            Source: OLEACC.dll.4.drStatic PE information: section name: .jlil
            Source: OLEACC.dll.4.drStatic PE information: section name: .bojgf
            Source: OLEACC.dll.4.drStatic PE information: section name: .gvsnik
            Source: OLEACC.dll.4.drStatic PE information: section name: .lsc
            Source: OLEACC.dll.4.drStatic PE information: section name: .uepvem
            Source: OLEACC.dll.4.drStatic PE information: section name: .don
            Source: OLEACC.dll.4.drStatic PE information: section name: .dqju
            Source: OLEACC.dll.4.drStatic PE information: section name: .qmgrql
            Source: OLEACC.dll.4.drStatic PE information: section name: .cjrd
            Source: OLEACC.dll.4.drStatic PE information: section name: .pfd
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,
            Source: A2qAaSVuU2.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x223a17
            Source: DUI70.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x271ee0
            Source: UxTheme.dll0.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x228f66
            Source: Secur32.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2279c4
            Source: ReAgent.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x22a27a
            Source: WINSTA.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x22fc17
            Source: XmlLite.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2290e6
            Source: OLEACC.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x22356c
            Source: UxTheme.dll.4.drStatic PE information: real checksum: 0x7d786c40 should be: 0x2261cf
            Source: MusNotificationUx.exe.4.drStatic PE information: 0x6655844F [Tue May 28 07:14:23 2024 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QiP6c\SndVol.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\VgY\Secur32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\QiP6c\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\VgY\mstsc.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\r1aQ\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\AxQmthi0\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D404F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D42884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D42F5C IsWindowVisible,IsIconic,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D41B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D3CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D39A6C IsIconic,GetWindowPlacement,GetWindowRect,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D3CE48 IsIconic,GetWindowPlacement,GetLastError,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D439A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657D3F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DBC560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81613C memset,memset,GetSystemDirectoryW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 1392Thread sleep count: 33 > 30
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exeJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dllJump to dropped file
            Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8351F4 GetSystemTimeAsFileTime followed by cmp: cmp r9d, 01h and CTI: je 00007FF7BC835362h
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D7410 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [rsp+20h], 03h and CTI: jne 00007FF7BC7D762Ch
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618AFF360 GetLocalTime followed by cmp: cmp r14d, 02h and CTI: jne 00007FF618AFF436h
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80B77C SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiEnumDeviceInterfaces,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F4E28 GetFileAttributesW,GetLastError,memset,FindFirstFileW,GetLastError,FindClose,GetProcessHeap,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CreateFileW,GetLastError,CloseHandle,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80E958 free,memset,FindFirstFileW,GetLastError,GetLastError,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC81B964 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,GetLastError,GetLastError,_wcsicmp,_wcsicmp,GetLastError,GetCurrentThread,NtQueryInformationThread,FindNextFileW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC810638 memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F57FC memset,GetSystemWindowsDirectoryW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetVolumeInformationW,memset,FindFirstFileW,GetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesW,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7F6718 WIMCreateFile,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WIMCloseHandle,WIMCloseHandle,memset,WIMGetAttributes,GetLastError,memset,GetFullPathNameW,GetLastError,memset,FindFirstFileW,GetLastError,GetProcessHeap,HeapFree,WIMCreateFile,WIMCloseHandle,memset,WIMGetAttributes,FindNextFileW,GetLastError,GetLastError,GetLastError,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7E21CC GetProcessHeap,HeapFree,GetFileAttributesW,GetLastError,GetProcessHeap,HeapFree,_wcsicmp,GetProcessHeap,HeapFree,FindClose,FindFirstFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindNextFileW,memmove,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC815458 memset,memset,memset,memset,FindFirstFileW,CompareStringW,CompareStringW,memset,FindNextFileW,FindClose,CoTaskMemFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B1A104 ?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,FindFirstFileW,FindNextFileW,FindClose,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7DB29C memset,GetSystemWindowsDirectoryW,GetLastError,memset,GetLogicalDriveStringsW,GetLastError,GetProcessHeap,HeapFree,memset,GetVolumeInformationW,LoadStringW,GetProcessHeap,HeapFree,
            Source: explorer.exe, 00000004.00000000.266212445.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000004.00000000.302594165.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir""
            Source: explorer.exe, 00000004.00000000.272328344.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000004.00000000.303493974.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000004.00000000.279443286.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D4028 IsDebuggerPresent,GetCurrentThreadId,GetCurrentThreadId,OutputDebugStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F82940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657DAE0FC LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F81090 GetProcessHeap,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F83C80 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F83F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC85864C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC8583E0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B14AC0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeCode function: 29_2_00007FF618B14768 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7BF2E0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7BEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F232A2B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F232A4B0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeCode function: 41_2_00007FF657E52264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: DUI70.dll.4.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B8EEFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B8EE000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFA9B312A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Contains functionality to automate explorer (e.g. start an application)Show sources
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: 34_2_00007FF74A7AA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeCode function: 36_2_00007FF6F2326264 memset,memset,#345,DialogBoxParamW,DialogBoxParamW,Sleep,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,LoadStringW,LoadStringW,LoadStringW,#344,
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC855D8C AllocateAndInitializeSid,GetLastError,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,CreateFileW,SetSecurityInfo,CloseHandle,GetProcessHeap,HeapFree,FreeSid,GetProcessHeap,HeapFree,
            Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmp, SndVol.exeBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000004.00000000.300560024.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: SndVol.exe, 00000022.00000002.478682807.00007FF74A7C2000.00000002.00020000.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
            Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000004.00000000.300976529.0000000001640000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\VgY\mstsc.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: memset,memset,GetLocaleInfoW,GetLastError,wcstoul,GetLocaleInfoW,GetLastError,GetNumberFormatW,GetLastError,GetProcessHeap,HeapAlloc,GetNumberFormatW,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\QiP6c\SndVol.exeCode function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80B77C SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiEnumDeviceInterfaces,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exeCode function: 21_2_00007FF727F83E10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC7D4344 GetTimeZoneInformation,GetLastError,GetSystemTime,SystemTimeToTzSpecificLocalTime,
            Source: C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exeCode function: 24_2_00007FF7BC80BB70 memset,RtlGetVersion,SetErrorMode,SetupDiGetClassDevsW,GetLastError,memset,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,GetLastError,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,SetupDiGetDeviceInterfaceDetailW,memset,SetupDiGetDeviceInterfacePropertyW,GetLastError,CreateFileW,GetLastError,DeviceIoControl,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetLastError,SetErrorMode,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery12Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
            Default AccountsExploitation for Client Execution1Application Shimming1DLL Side-Loading1Obfuscated Files or Information3LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationSystem Shutdown/Reboot1
            Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Software Packing2Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Access Token Manipulation1Timestomp1NTDSSystem Information Discovery45Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptProcess Injection312DLL Side-Loading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsSecurity Software Discovery31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncVirtualization/Sandbox Evasion1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492853 Sample: A2qAaSVuU2 Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 43 clientconfig.passport.net 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures6 57 Changes memory attributes in foreign processes to executable or writable 11->57 59 Uses Atom Bombing / ProGate to inject into other processes 11->59 61 Queues an APC in another process (thread injection) 11->61 20 explorer.exe 4 55 11->20 injected 24 rundll32.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\WINSTA.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\VgY\Secur32.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 20->39 dropped 41 13 other files (5 malicious) 20->41 dropped 53 Benign windows process drops PE files 20->53 26 SndVol.exe 20->26         started        29 SysResetErr.exe 20->29         started        31 MusNotificationUx.exe 20->31         started        33 9 other processes 20->33 signatures9 process10 signatures11 55 Contains functionality to automate explorer (e.g. start an application) 26->55

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            A2qAaSVuU2.dll65%VirustotalBrowse
            A2qAaSVuU2.dll63%MetadefenderBrowse
            A2qAaSVuU2.dll84%ReversingLabsWin64.Infostealer.Dridex
            A2qAaSVuU2.dll100%AviraHEUR/AGEN.1114452
            A2qAaSVuU2.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\QiP6c\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\QiP6c\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\VgY\Secur32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\QiP6c\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\QiP6c\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\VgY\Secur32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.RecoveryDrive.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            36.2.EhStorAuthn.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.SysResetErr.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            41.2.mstsc.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            29.2.MusNotificationUx.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            34.2.SndVol.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.micro0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            clientconfig.passport.net
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.microSndVol.exe, 00000020.00000002.447751833.000002C464AA0000.00000002.00020000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:492853
              Start date:29.09.2021
              Start time:03:36:37
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 17m 9s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:A2qAaSVuU2 (renamed file extension from none to dll)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:41
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winDLL@40/17@1/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 29.1% (good quality ratio 16.8%)
              • Quality average: 40.6%
              • Quality standard deviation: 40.8%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for rundll32
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 23.54.113.104, 13.107.4.52, 184.24.3.140, 20.190.159.133, 40.126.31.7, 20.190.159.137, 40.126.31.3, 20.190.159.135, 40.126.31.5, 40.126.31.138, 40.126.31.2, 23.54.113.45, 20.49.157.6, 20.190.159.131, 40.126.31.140, 40.126.31.142, 184.24.20.248, 184.24.21.10, 204.79.197.200, 13.107.21.200, 23.54.113.53, 20.82.210.154, 23.10.249.43, 23.10.249.26, 40.112.88.60
              • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, www.msftconnecttest.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, v4ncsi.msedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, 4-c-0003.c-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, go.microsoft.com.edgekey.net, ncsi.4-c-0003.c-msedge.net, e16646.dscg.akamaiedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\A1gpxNou\ReAgent.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.4118132531393357
              Encrypted:false
              SSDEEP:12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:FC9474302D7FD9538FC834CE63E1FD5C
              SHA1:290D8D20C7815ABC8918D60E44A9BF9BE063FDE1
              SHA-256:D7F76A8DB8CD5CBD47B91536221521A44BF8DD57E72EDF8C9239EB32F6165CCB
              SHA-512:01EBF58C36BB74763D7AB3D62AF275F35719EF0CC2CDFD742D113714C12130D614F4FBC8EDABAF9962580DE13025FE08BAEF4C435BAD242F8C979318D134247E
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):877568
              Entropy (8bit):6.084247719186399
              Encrypted:false
              SSDEEP:12288:T9kJ4nbQXm4cVAyCSJLk1aciuMkTzOqUx6cl+RjJSzb0fK:T9k+N9CSJuah1cSqfC+RaYf
              MD5:2228E677678848E2FC693199947715E7
              SHA1:7AA34AC0938585EEFA9E0ABC80CCBD4E17651173
              SHA-256:9041F1AF7FD9A065B6C69D6CDF95F6FF939BF224C040816A0646540E145B73FF
              SHA-512:9B69EB763BC90FA8FE495FD1EA953276D68B8648737F209B98E777651AA89ABA4CE6449093B3E4C02B4350FF75AF508C05E6371D847279775993ABA04EFF950E
              Malicious:false
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].t...t...t.......t.......t.......t.......t.......t...t..gu.......t.......t.......t..Rich.t..........................PE..d...c.]..........".................@..........@.....................................u....`.......... ..........................................p....@...]......./..............@.......T...............................................`............................text............................... ..`.rdata..N........ ..................@..@.data.... ..........................@....pdata.../.......0..................@..@.rsrc....]...@...^..................@..@.reloc..@............\..............@..B........................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\AxQmthi0\DUI70.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2519040
              Entropy (8bit):3.9419943640965944
              Encrypted:false
              SSDEEP:12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1nlplj:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnbzl
              MD5:298E377EADD0706C1D73ADDEB77B8178
              SHA1:525213210DE858C13235C917106BB95C540F79F0
              SHA-256:70104ECBFB1142438426E2A5A0A4D7F3A50F65205F546CCF887A148065DB3CD4
              SHA-512:94D8B5C907339C786BF6CB9E49EC64783EA9E4F69988DA2729AE9728DD756C80850FFC4D9B5DAC2F44890BCB486B2442524E0B7AFFC215BE44C5B3E061C6E0E5
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." .........P".....p..........@.............................p&.....@lx}..b...........................................".dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):42392
              Entropy (8bit):5.943178981884173
              Encrypted:false
              SSDEEP:768:zYVfzVTBuXwMHhrdXbsxoXF8Q0no8pV1Pxo:CfuXXrdrXXD0no8xPxo
              MD5:6A3F2F3C36FE45A87E3BFA80B6D92E07
              SHA1:8C211767AD8393F9F184FC926FE3B8913F414289
              SHA-256:069608FF0FF5918681A80CF7603275DC6CD7D416A73D033D19962B0F0F1E1EAC
              SHA-512:A75669E0481901FC7CFCA55FBC7BD7FC0E8636767537017A41B1C720F34B5AD45AC75555D0AD246AC0DF670FDC31CBA1BEFD21D63E112AD427472DE3EA59CAA6
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%7..aV..aV..aV..h.S.cV...2..cV...2..vV...2..kV...2..tV..aV...V...2..oV...2?.`V...2..`V..RichaV..................PE..d...v.+J.........."......6...X.......9.........@.....................................l............... ...................................................................!......,...0t..T...................`d..(...`c...............d..`............................text...{4.......6.................. ..`.imrsiv......P...........................rdata.......`...0...:..............@..@.data...h............j..............@....pdata...............n..............@..@.rsrc................t..............@..@.reloc..,...........................@..B........................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):319488
              Entropy (8bit):6.069929843481676
              Encrypted:false
              SSDEEP:6144:NRq8Ez5tCqd6Nr6/TWeRhUz/vMNuEob69hbF1m0lpVGMD8i3ZdTgDt0kcRkdXgl6:NRquQ/TWeRhUz/vMNuEob69hBblHGu3t
              MD5:114A55D75AC7447F012B6D8EC8B1F7FC
              SHA1:37D5636D940D0A948000B94C84AD6C41162E593F
              SHA-256:E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
              SHA-512:446FD3024710E6994A0085CF3ADC0E395BE131898D7D932B383A19981C41637D27D9DABFB2177DBB62375CF4CCFC13722F5B828FF0FA9BB691F220A73D035586
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.m.Q.>.Q.>.Q.>.)E>.Q.>.5.?.Q.>.5.?.Q.>.Q.>+Q.>.5.?.Q.>.5.?.Q.>.5.?.Q.>.5)>.Q.>.5.?.Q.>Rich.Q.>........PE..d...O.Uf.........."..........(.......E.........@.............................@......e}............... ......................................8...\.... ..........x............0..........T............................................................................text...L........................... ..`.imrsiv..................................rdata..L...........................@..@.data...............................@....pdata..x...........................@..@.didat..x...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................
              C:\Users\user\AppData\Local\FQTqHJ\XmlLite.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.406611949592817
              Encrypted:false
              SSDEEP:12288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:CB757D9BD0E289A106808C0230A026A6
              SHA1:1F11AE588A68B3A2A29668CBD5A0A8A445E4938F
              SHA-256:450A946EC012C1311B599992FD920623C478F9B69FE246296AD6F8E9B57D0581
              SHA-512:DBD27A1ACA3AF8A626D4A4C80B46D394C936B1BCBF500255CAB63E42B8E2194FC82B694DC0A230236271F41A3B89AD2E8C2B57277A9E83F6B96F388E9A27237B
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\NNd0CnGJ\Magnify.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):809472
              Entropy (8bit):6.649005640850081
              Encrypted:false
              SSDEEP:6144:g4yELxB+4i7juGW9ku9gi9m5SBo3BZHgnlWXL1ogREJwkz5gzNOx8XA08bAhMWUy:1tLvDNhg0Pnomt8XOykpyk
              MD5:F97BE20B374457236666607EE4BA7F7F
              SHA1:378D5ADAB450032CBD086A419C07DF8278FF4F32
              SHA-256:72A31AEB7655343C7112085DFD49A2D5F1A6F1191D8F91A96BC446DE932724EA
              SHA-512:62C8875A9ECB710CCE5CACBEFF3615A9771913F0C7A7CD42FFFE1D00F9B9E26D01139501635F1578F1B63E03682B52312E776A7191F291B86960B1D7464AB216
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_T..>:D.>:D.>:D.F.D.>:D.Z>E.>:D.Z9E.>:D.Z?E.>:D.Z;E.>:D.>;D.8:D.Z3E.>:D.Z.D.>:D.Z.D.>:D.Z8E.>:DRich.>:D........................PE..d...U..........."................. ..........@..........................................`.......... ......................................8........0..@G.......-..............8...P"..T................... ...(... ...............H...(............................text...*........................... ..`.rdata..t(.......*..................@..@.data...............................@....pdata...-..........................@..@.rsrc...@G...0...H..................@..@.reloc..8............T..............@..B................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\NNd0CnGJ\OLEACC.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.408793605428252
              Encrypted:false
              SSDEEP:12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:0CA5F4D66EBB41C5D3F7E5A6D341F77F
              SHA1:3894DC22432580634AD98F990355CF0C15F10DD8
              SHA-256:31FA6F8CCF9DD4024AF161774599C6196118660437B4149DCDE28026B7A2478E
              SHA-512:A59C7EE98E855637B31C030D66611402D1D5106593FC633C7FB0793AA9B9C74296CA41960F9EA4FCF23568D1682CE1A9602D40496610B84D882466FE861F1E9B
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\QiP6c\SndVol.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):259904
              Entropy (8bit):5.955701055747905
              Encrypted:false
              SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
              MD5:CDD7C7DF2D0859AC3F4088423D11BD08
              SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
              SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
              SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
              Malicious:true
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................
              C:\Users\user\AppData\Local\QiP6c\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.4158562242471984
              Encrypted:false
              SSDEEP:12288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:7F591E3E13727BC65D9343A0424DC251
              SHA1:FB577F41F44AC64FFCAA911A382786B19BAC6DD5
              SHA-256:9C68174FA05C42FD588281AD3ED149DF3673A2932849410AC2E902772752871F
              SHA-512:6AA7DAA2DE4612E820E87182CDF95E8FFFFB7ADA175478F3F66F70C3B4E7BBA7FF3ECC29F31CD5C42C4BB85ACF5DE68CDAF55D8B54EF143B0FCB801B38434B49
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\VgY\Secur32.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.417374163758923
              Encrypted:false
              SSDEEP:12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:DB5938B2BCF055E28A918103006CBCAA
              SHA1:87EFF0B3AE617315DDE7EBA2261EA88B7AF02061
              SHA-256:45561012881BCEB066C2F5A47ACA5F80D6463D025DE36DC19F54DB2A6D0DC216
              SHA-512:C6D17E4D7EBC15C78981A22DAABC9190C35F69239BD3AB714ADBFE3D39961D82059562CFA68EBBE6F1C1A8432472C76BBA4486C20D384302194E96C16470FECC
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b...........................................".#....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\VgY\mstsc.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):3640832
              Entropy (8bit):5.884402821447862
              Encrypted:false
              SSDEEP:98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
              MD5:3FBB5CD8829E9533D0FF5819DB0444C0
              SHA1:A4A6E4E50421E57EA4745BA44568B107A9369447
              SHA-256:043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
              SHA-512:349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. *..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. *....7..,...b7.............@..B........................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):128512
              Entropy (8bit):6.2177431661699805
              Encrypted:false
              SSDEEP:1536:JkvDU6Ogd6+nGNj73upR/yc4jKxyB6zd23W9aMEbq6GIwc0eomgPHA5kG9mQ7N6A:bgd6+E3ueD+bc0xPxQZDFcZIZ
              MD5:5B9BB7B6DD9A81D42F057BA252DC3B63
              SHA1:EC0699019DF4B9BC7D12C4B3CAFC4963210B5C7A
              SHA-256:4348A9C263028C665AA486B08DDD22BC7F3879B0A89765DA5A0F4AECD0A1224C
              SHA-512:9F77B1720CB1F3218556E396B264A15765FF8925FFFBEF1121245BB7F15174EBC7A2C341AD787410F326EE2E18EC097DE191F21B8B4335C1129EB41289E68E19
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)S..H=@.H=@.H=@.,>A.H=@.,9A.H=@.,8A.H=@.,<A.H=@.H<@"H=@.,4A.H=@.,=A.H=@.,.@.H=@.,?A.H=@Rich.H=@........PE..d....G............"..........^......`..........@.............................0............`.......... ..................................`...`...................\............ ..,... ...T...............................................8............................text............................... ..`.rdata..f........0..................@..@.data...............................@....pdata..\...........................@..@.rsrc...............................@..@.reloc..,.... ......................@..B........................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\r1aQ\UxTheme.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2236416
              Entropy (8bit):3.4158800780354133
              Encrypted:false
              SSDEEP:12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:4D29023178FD2D10CB3ACE4885820458
              SHA1:140E9C96A2D4A8BAC949B02FB928E0FF76754B6E
              SHA-256:FEA11ED22EBAA8A456516620C8B73281104BE7E328AD6FE82C9E013216E3EF7A
              SHA-512:0F935996AFF73EA5FBB0CE613229D31D4D0F2FD37C7207B4987D464E12A1FD2F14E45E5DEE001069144C45F35B9D0825CCF72AC46E8487A7FCA22879C3D555E1
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@............................. ".....@lx}..b..........................................."......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Local\wsL8xMlEF\DisplaySwitch.exe
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):1930224
              Entropy (8bit):1.9511202288226894
              Encrypted:false
              SSDEEP:3072:LvyYYIF4cmwcTigBmZWRHLxgMNnVYvkkVp66oB4E7p6:LvyYBF4R/igoZWRryMNnqz3
              MD5:97411B8A84E5980E509E500C3209E5C0
              SHA1:23398F8DA469DEAF10C32773062A6A62B7B004B4
              SHA-256:2C968556FCAD7EBB9A866B21A9F3F3DFCD0CA490CAF8F6B2ECDB423B9D24D3EF
              SHA-512:1D5E598B51B37E8A92FA188A8D59C67B7522480B46AFB5D2033D4380A3C5A120D0DB2BE6FE62B636A23AD83F757B7A1803B77A0EA19DF3C51B9BD36B0F06CB6A
              Malicious:false
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..zd..)d..)d..)m.T)R..)...(g..)...(q..)...(c..)...(E..)d..)...)...({..)..8)e..)...(e..)Richd..)........PE..d....[~..........."...... ........... .........@.............................`....................... .........................................\.......(3......d........c...P..X.......T....................K..(....J...............K..x............................text............ .................. ..`.imrsiv......0...........................rdata..6....@.......$..............@..@.data...(...........................@....pdata..d...........................@..@.rsrc...(3.......4..................@..@.reloc..X....P......................@..B................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\wsL8xMlEF\WINSTA.dll
              Process:C:\Windows\explorer.exe
              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):2240512
              Entropy (8bit):3.4238232767891454
              Encrypted:false
              SSDEEP:12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              MD5:447058F8460FC604A0852CCD62462C97
              SHA1:E2B5CE7A28224F839FA0B4A153F6B01A8C70586E
              SHA-256:B0BBEEB74A6BAE9B3AAB49327F807FEE63018C92342E4CBFA3B2666F2AFAB0F0
              SHA-512:BD751199866B6C07BAED02AA233E9A012845BAAA91659853C0F8A6E24749F37796A32E75AAF042498865E818BD9B6B25694D9A60D89ADEAE1ADE623A6FE6CCC3
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.;..DN^.........." ................p..........@.............................0".....@lx}..b...........................................".m....c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a
              Process:C:\Windows\explorer.exe
              File Type:data
              Category:dropped
              Size (bytes):4447
              Entropy (8bit):5.479118735651339
              Encrypted:false
              SSDEEP:48:JpnURyDsHPcrkR/J6AhUzHrpnUnLpM/Fuc2/7h6OSJXJY8LU+QYwBMuMuEu:JJGymPcmJfhU3JadubugTXs+QYwKLu
              MD5:F4F1FA09A467998A8BCD1E6EA05488A7
              SHA1:CB33AC91E6108330488B353C5BBE786087F35AD3
              SHA-256:D639226D41D26952376E2C91BFD87D04BF284E895A4D9446FEE48F53F37519C9
              SHA-512:6FBDA3141C980C94E85C54DBBFB084204183F133D04DCE98525E80FF62E2A33E1C2D7D2133232871E8D7DB5CD51C8AE9A73EE469E18E741672DDA6C157EDBF99
              Malicious:false
              Reputation:unknown
              Preview: ........................................user.........................................user.....................RSA1.................vf..G..~^D..........O@......w..5..-.L....W.}.P.............K.....Hkk\.#Y...y... ..-_..C..j..3..i&..t.#..5...d.........................z..O........6r...G..V..q.J....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....W...RX..}.<%...K.V.\.._.y..F.............. ...oB.....:..C@......xM.6H.M.#......:..Kk.-K.y.vK.....s.O.k..%2.........(gv.sNcW..c......t.nc.."S...L)....2.k.|3........].p..y-(..h.C.a)Y....E.@p..g.?.-.zI.y.......ku..!1...o.kZ.bzZ.y.....K/.K.Yn.O.... ..Z......i.8.>.......^.5K...]#...6|.....3.NW..7.R@(/e.u;.N...~[..i..K.H....}...V!`....A.).7................-.......4E<.f.8.^.ZQU..xj...\..w...3k_..TmE8$.....m......3I.U..%..1.].H.@.YM.....'.....(.?..{....X..&.....hzk`............/p+.....;...b....w'P..5Om>.._...f.{...l...T.....5a@T.1.iW{.N.hlV5.... :O.T_$.l..&\..Mz.z..{.f...F7..N..F*.c....*h.O

              Static File Info

              General

              File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
              Entropy (8bit):3.4112191453962337
              TrID:
              • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
              • Win64 Executable (generic) (12005/4) 10.17%
              • Generic Win/DOS Executable (2004/3) 1.70%
              • DOS Executable Generic (2002/1) 1.70%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
              File name:A2qAaSVuU2.dll
              File size:2232320
              MD5:f8295446e335b679641637334c99242d
              SHA1:18b9a40791f1a52c70507b29d0b631510f2e33c6
              SHA256:96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
              SHA512:82b140666adcf81d786ef650a4eeae44a133c23593e2ccb14a1bd0b262084dd937d2fe6546fd691ba859b376becbfc4f18e57459d8e9e6b2e20654cc227fd1b7
              SSDEEP:12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x140041070
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:6668be91e2c948b183827f040944057f

              Entrypoint Preview

              Instruction
              dec eax
              xor eax, eax
              dec eax
              add eax, 5Ah
              dec eax
              mov dword ptr [00073D82h], ecx
              dec eax
              lea ecx, dword ptr [FFFFECABh]
              dec eax
              mov dword ptr [00073D7Ch], edx
              dec eax
              add eax, ecx
              dec esp
              mov dword ptr [00073D92h], ecx
              dec esp
              mov dword ptr [00073DA3h], ebp
              dec esp
              mov dword ptr [00073D7Ch], eax
              dec esp
              mov dword ptr [00073D85h], edi
              dec esp
              mov dword ptr [00073D86h], esi
              dec esp
              mov dword ptr [00073D8Fh], esp
              dec eax
              mov ecx, eax
              dec eax
              sub ecx, 5Ah
              dec eax
              mov dword ptr [00073D89h], esi
              dec eax
              test eax, eax
              je 00007F26EC8D932Fh
              dec eax
              mov dword ptr [00073D45h], esp
              dec eax
              mov dword ptr [00073D36h], ebp
              dec eax
              mov dword ptr [00073D7Fh], ebx
              dec eax
              mov dword ptr [00073D70h], edi
              dec eax
              test eax, eax
              je 00007F26EC8D930Eh
              jmp ecx
              dec eax
              add edi, ecx
              dec eax
              mov dword ptr [FFFFEC37h], ecx
              dec eax
              xor ecx, eax
              jmp ecx
              retn 0008h
              ud2
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebx
              dec eax
              sub esp, 00000080h
              mov eax, F957B016h
              mov byte ptr [esp+7Fh], 00000037h
              mov edx, dword ptr [esp+78h]
              inc ecx
              mov eax, edx
              inc ecx
              or eax, 5D262B0Ch
              inc esp
              mov dword ptr [esp+78h], eax
              dec eax
              mov dword ptr [eax+eax+00h], 00000000h

              Rich Headers

              Programming Language:
              • [LNK] VS2012 UPD4 build 61030
              • [ASM] VS2013 UPD2 build 30501
              • [ C ] VS2012 UPD2 build 60315
              • [C++] VS2013 UPD4 build 31101
              • [RES] VS2012 UPD3 build 60610
              • [LNK] VS2017 v15.5.4 build 25834
              • [ C ] VS2017 v15.5.4 build 25834
              • [ASM] VS2010 build 30319
              • [EXP] VS2015 UPD1 build 23506
              • [IMP] VS2008 SP1 build 30729
              • [RES] VS2012 UPD4 build 61030
              • [LNK] VS2012 UPD2 build 60315
              • [C++] VS2015 UPD1 build 23506
              • [ C ] VS2013 UPD4 build 31101

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0xa6f2c0xa4.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x420000x64fd00x65000False0.702641553218data7.86628806834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .wualk0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qdxz0x1600000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rkyg0x1610000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .psul0x1620000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .pyjm0x1630000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .eoadme0x1640000x7fd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fnz0x1650000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gwheg0x1660000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fcd0x1ac0000x3220x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dwk0x1ad0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hgy0x1ae0000xae70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .nfm0x1af0000x46e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qmfqd0x1b00000xd570x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .buzyfh0x1b10000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .towo0x1b20000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .omwdbg0x1b30000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .virw0x1b40000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bck0x1bb0000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .mbhfb0x1bc0000x5730x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .kix0x1bd0000x8960x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gurzs0x1be0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dzdoj0x1bf0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .egret0x1c00000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ftpyc0x1c20000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qrc0x1c30000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .tnnx0x1c40000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .vsjhk0x1c50000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .fmswwe0x1c60000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .zfhn0x1c70000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .ejdgrp0x1ce0000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .soyat0x1cf0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .jlil0x1d00000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .bojgf0x1d10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .gvsnik0x1d20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .lsc0x1d30000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .uepvem0x2190000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .don0x21a0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .dqju0x21c0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .qmgrql0x21e0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .cjrd0x21f0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0xc00a00x370dataEnglishUnited States
              RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
              SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
              KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
              GDI32.dllCreateBitmapIndirect, GetPolyFillMode
              CRYPT32.dllCertGetCTLContextProperty
              ADVAPI32.dllAddAccessDeniedObjectAce
              SHLWAPI.dllChrCmpIW

              Exports

              NameOrdinalAddress
              DpxFreeMemory10x140014ad4
              DpxNewJob20x14000c684
              DpxNewJobEx30x140024248
              DpxRestoreJob40x1400085e8
              DpxRestoreJobEx50x14001b4d8

              Version Infos

              DescriptionData
              LegalCopyright Microsoft Corporation. All rights reserv
              InternalNamebitsp
              FileVersion7.5.7600.16385 (win7_rtm.090713-
              CompanyNameMicrosoft Corporati
              ProductNameMicrosoft Windows Operating S
              ProductVersion6.1.7600
              FileDescriptionBackground Intellig
              OriginalFilenamekbdy
              Translation0x0409 0x04b0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 29, 2021 03:37:46.985901117 CEST5318353192.168.2.58.8.8.8
              Sep 29, 2021 03:37:47.999109983 CEST5318353192.168.2.58.8.8.8
              Sep 29, 2021 03:37:48.059173107 CEST53531838.8.8.8192.168.2.5
              Sep 29, 2021 03:38:20.888489962 CEST5758753192.168.2.58.8.8.8
              Sep 29, 2021 03:38:21.877808094 CEST5758753192.168.2.58.8.8.8
              Sep 29, 2021 03:38:21.896532059 CEST53575878.8.8.8192.168.2.5
              Sep 29, 2021 03:38:23.611285925 CEST5543253192.168.2.58.8.8.8
              Sep 29, 2021 03:38:23.666307926 CEST53554328.8.8.8192.168.2.5
              Sep 29, 2021 03:38:32.279305935 CEST6493653192.168.2.58.8.8.8
              Sep 29, 2021 03:38:32.352840900 CEST53649368.8.8.8192.168.2.5
              Sep 29, 2021 03:38:34.614573002 CEST5270453192.168.2.58.8.8.8
              Sep 29, 2021 03:38:34.678839922 CEST53527048.8.8.8192.168.2.5
              Sep 29, 2021 03:38:43.007261992 CEST5221253192.168.2.58.8.8.8
              Sep 29, 2021 03:38:44.032881975 CEST5221253192.168.2.58.8.8.8
              Sep 29, 2021 03:38:44.087611914 CEST53522128.8.8.8192.168.2.5
              Sep 29, 2021 03:38:46.405586958 CEST5430253192.168.2.58.8.8.8
              Sep 29, 2021 03:38:48.000888109 CEST5430253192.168.2.58.8.8.8
              Sep 29, 2021 03:38:48.043163061 CEST53543028.8.8.8192.168.2.5
              Sep 29, 2021 03:38:57.699244976 CEST5378453192.168.2.58.8.8.8
              Sep 29, 2021 03:38:57.717226982 CEST53537848.8.8.8192.168.2.5
              Sep 29, 2021 03:38:58.077536106 CEST6530753192.168.2.58.8.8.8
              Sep 29, 2021 03:38:58.108865976 CEST53653078.8.8.8192.168.2.5
              Sep 29, 2021 03:39:05.169296980 CEST6434453192.168.2.58.8.8.8
              Sep 29, 2021 03:39:05.203315020 CEST53643448.8.8.8192.168.2.5
              Sep 29, 2021 03:39:10.919622898 CEST6206053192.168.2.58.8.8.8
              Sep 29, 2021 03:39:10.944142103 CEST53620608.8.8.8192.168.2.5
              Sep 29, 2021 03:39:47.347239017 CEST6180553192.168.2.58.8.8.8
              Sep 29, 2021 03:39:47.373959064 CEST53618058.8.8.8192.168.2.5
              Sep 29, 2021 03:39:53.680443048 CEST5479553192.168.2.58.8.8.8
              Sep 29, 2021 03:39:53.699193001 CEST53547958.8.8.8192.168.2.5
              Sep 29, 2021 03:40:04.949834108 CEST4955753192.168.2.58.8.8.8
              Sep 29, 2021 03:40:04.983392954 CEST53495578.8.8.8192.168.2.5
              Sep 29, 2021 03:40:35.671704054 CEST6173353192.168.2.58.8.8.8
              Sep 29, 2021 03:40:36.681646109 CEST6173353192.168.2.58.8.8.8
              Sep 29, 2021 03:40:37.681225061 CEST6173353192.168.2.58.8.8.8
              Sep 29, 2021 03:40:39.697453022 CEST6173353192.168.2.58.8.8.8
              Sep 29, 2021 03:40:43.697468996 CEST6173353192.168.2.58.8.8.8
              Sep 29, 2021 03:40:51.634490013 CEST6544753192.168.2.58.8.8.8
              Sep 29, 2021 03:40:52.667848110 CEST6544753192.168.2.58.8.8.8
              Sep 29, 2021 03:40:53.667366982 CEST6544753192.168.2.58.8.8.8
              Sep 29, 2021 03:40:55.714175940 CEST6544753192.168.2.58.8.8.8
              Sep 29, 2021 03:40:55.756486893 CEST53654478.8.8.8192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Sep 29, 2021 03:38:58.077536106 CEST192.168.2.58.8.8.80x6cddStandard query (0)clientconfig.passport.netA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Sep 29, 2021 03:38:32.352840900 CEST8.8.8.8192.168.2.50x2b7eNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
              Sep 29, 2021 03:38:48.043163061 CEST8.8.8.8192.168.2.50x9b72No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
              Sep 29, 2021 03:38:58.108865976 CEST8.8.8.8192.168.2.50x6cddNo error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: loaddll64.exe PID: 3104 Parent PID: 2456

              General

              Start time:03:37:40
              Start date:29/09/2021
              Path:C:\Windows\System32\loaddll64.exe
              Wow64 process (32bit):false
              Commandline:loaddll64.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll'
              Imagebase:0x7ff6977c0000
              File size:1136128 bytes
              MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.279916623.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:moderate

              Analysis Process: cmd.exe PID: 5772 Parent PID: 3104

              General

              Start time:03:37:40
              Start date:29/09/2021
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
              Imagebase:0x7ff7eef80000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 2588 Parent PID: 3104

              General

              Start time:03:37:41
              Start date:29/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxFreeMemory
              Imagebase:0x7ff70a260000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.339300443.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 3332 Parent PID: 5772

              General

              Start time:03:37:41
              Start date:29/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe 'C:\Users\user\Desktop\A2qAaSVuU2.dll',#1
              Imagebase:0x7ff70a260000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.257940331.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: explorer.exe PID: 3472 Parent PID: 2588

              General

              Start time:03:37:43
              Start date:29/09/2021
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff693d90000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Analysis Process: rundll32.exe PID: 2436 Parent PID: 3104

              General

              Start time:03:37:44
              Start date:29/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJob
              Imagebase:0x7ff70a260000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.263722595.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: rundll32.exe PID: 800 Parent PID: 3104

              General

              Start time:03:37:48
              Start date:29/09/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32.exe C:\Users\user\Desktop\A2qAaSVuU2.dll,DpxNewJobEx
              Imagebase:0x7ff70a260000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.274418377.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:high

              Analysis Process: SysResetErr.exe PID: 2876 Parent PID: 3472

              General

              Start time:03:38:23
              Start date:29/09/2021
              Path:C:\Windows\System32\SysResetErr.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\SysResetErr.exe
              Imagebase:0x7ff650120000
              File size:42392 bytes
              MD5 hash:6A3F2F3C36FE45A87E3BFA80B6D92E07
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              Analysis Process: SysResetErr.exe PID: 484 Parent PID: 3472

              General

              Start time:03:38:32
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\AxQmthi0\SysResetErr.exe
              Imagebase:0x7ff727f80000
              File size:42392 bytes
              MD5 hash:6A3F2F3C36FE45A87E3BFA80B6D92E07
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.387213363.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: RecoveryDrive.exe PID: 5932 Parent PID: 3472

              General

              Start time:03:38:44
              Start date:29/09/2021
              Path:C:\Windows\System32\RecoveryDrive.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\RecoveryDrive.exe
              Imagebase:0x7ff6a8220000
              File size:877568 bytes
              MD5 hash:2228E677678848E2FC693199947715E7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: RecoveryDrive.exe PID: 6092 Parent PID: 3472

              General

              Start time:03:38:45
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\A1gpxNou\RecoveryDrive.exe
              Imagebase:0x7ff7bc7d0000
              File size:877568 bytes
              MD5 hash:2228E677678848E2FC693199947715E7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.415547508.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 0%, Metadefender, Browse
              • Detection: 0%, ReversingLabs

              Analysis Process: MusNotificationUx.exe PID: 4756 Parent PID: 3472

              General

              Start time:03:38:58
              Start date:29/09/2021
              Path:C:\Windows\System32\MusNotificationUx.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\MusNotificationUx.exe
              Imagebase:0x7ff6f7fe0000
              File size:319488 bytes
              MD5 hash:114A55D75AC7447F012B6D8EC8B1F7FC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: MusNotificationUx.exe PID: 3940 Parent PID: 3472

              General

              Start time:03:38:58
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\FQTqHJ\MusNotificationUx.exe
              Imagebase:0x7ff618af0000
              File size:319488 bytes
              MD5 hash:114A55D75AC7447F012B6D8EC8B1F7FC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.442655730.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: SndVol.exe PID: 3532 Parent PID: 3472

              General

              Start time:03:39:10
              Start date:29/09/2021
              Path:C:\Windows\System32\SndVol.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\SndVol.exe
              Imagebase:0x7ff759370000
              File size:259904 bytes
              MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: SndVol.exe PID: 1208 Parent PID: 3472

              General

              Start time:03:39:12
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\QiP6c\SndVol.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\QiP6c\SndVol.exe
              Imagebase:0x7ff74a7a0000
              File size:259904 bytes
              MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.470825407.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: EhStorAuthn.exe PID: 3016 Parent PID: 3472

              General

              Start time:03:39:24
              Start date:29/09/2021
              Path:C:\Windows\System32\EhStorAuthn.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\EhStorAuthn.exe
              Imagebase:0x7ff786bf0000
              File size:128512 bytes
              MD5 hash:5B9BB7B6DD9A81D42F057BA252DC3B63
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: EhStorAuthn.exe PID: 2424 Parent PID: 3472

              General

              Start time:03:39:26
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\r1aQ\EhStorAuthn.exe
              Imagebase:0x7ff6f2320000
              File size:128512 bytes
              MD5 hash:5B9BB7B6DD9A81D42F057BA252DC3B63
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.501617051.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Analysis Process: mstsc.exe PID: 5972 Parent PID: 3472

              General

              Start time:03:39:38
              Start date:29/09/2021
              Path:C:\Windows\System32\mstsc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\mstsc.exe
              Imagebase:0x7ff7ab200000
              File size:3640832 bytes
              MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Analysis Process: mstsc.exe PID: 5668 Parent PID: 3472

              General

              Start time:03:39:39
              Start date:29/09/2021
              Path:C:\Users\user\AppData\Local\VgY\mstsc.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\AppData\Local\VgY\mstsc.exe
              Imagebase:0x7ff657d30000
              File size:3640832 bytes
              MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.529730818.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

              Disassembly

              Code Analysis

              Reset < >