Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2epPHr8ygJ

Overview

General Information

Sample Name:2epPHr8ygJ (renamed file extension from none to dll)
Analysis ID:492879
MD5:31058530a762dc9f9bb34d28203f5314
SHA1:28c5d0fc080868ebb37050a565796f19a48eee87
SHA256:2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6180 cmdline: loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 6256 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4364 cmdline: rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4524 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5044 cmdline: C:\Windows\system32\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
        • msdt.exe (PID: 4768 cmdline: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
        • WMPDMC.exe (PID: 5144 cmdline: C:\Windows\system32\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • WMPDMC.exe (PID: 4864 cmdline: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • FXSCOVER.exe (PID: 1752 cmdline: C:\Windows\system32\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • FXSCOVER.exe (PID: 5664 cmdline: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • CameraSettingsUIHost.exe (PID: 5424 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • MDMAppInstaller.exe (PID: 6636 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • MDMAppInstaller.exe (PID: 5904 cmdline: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • eudcedit.exe (PID: 1132 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • CameraSettingsUIHost.exe (PID: 2984 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 5528 cmdline: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • SnippingTool.exe (PID: 2408 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
    • rundll32.exe (PID: 2528 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1012 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\system32\msdt.exe, CommandLine: C:\Windows\system32\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msdt.exe, NewProcessName: C:\Windows\System32\msdt.exe, OriginalFileName: C:\Windows\System32\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\system32\msdt.exe, ProcessId: 5044

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2epPHr8ygJ.dllMetadefender: Detection: 62%Perma Link
            Source: 2epPHr8ygJ.dllReversingLabs: Detection: 80%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2epPHr8ygJ.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\29qb\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: 2epPHr8ygJ.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\29qb\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BDF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,

            Exploits:

            barindex
            Accesses ntoskrnl, likely to find offsets for exploitsShow sources
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\ntkrnlmp.exe
            Source: 2epPHr8ygJ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1322AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B3120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.489814069.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394275962.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.451585055.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.294861665.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.526607967.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.597575856.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E80
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2050
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BC878
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AC0E4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A80F8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7784
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B37E0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C97D8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AA6A4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F295678
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F299678
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7F18
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AC6FC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BAD3C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B5DEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CE5CC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AD618
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D1E04
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B3440
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CD440
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BCCE8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AF4DC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F297D18
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2360
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F296360
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29FB90
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BFBEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BBA58
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BD25C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2ACA38
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D52B0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A6AF0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29BAEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A2300
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A6150
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2969B0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BB1A4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2999D8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C19B8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135C250
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13BE2F8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1382300
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A8318
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138C330
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1392330
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1358180
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1320220
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132A1BC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1342498
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13CC464
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A137E510
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13084E8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131C4F4
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135A340
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1396428
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13563C8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139C3F0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131A3F0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1336690
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13906B0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138C72C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134C6D0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1370544
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1380570
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135A880
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A8900
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1344784
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1394810
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1312A84
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1354A8C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1356940
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1348A0C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13AA9D0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138AC70
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1374D18
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131AB3C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132AB44
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A136CBE8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139CE54
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139AD78
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138CD50
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1330D50
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13C0E08
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A2E28
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A136504C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1334F80
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A8FA0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1340F54
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1374FFC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1397000
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132D034
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132D2F8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134731C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1341320
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13B52C0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13132CC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138F18C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13C11B4
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138B140
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BCDB0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BBF00
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B4E3C
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C5E50
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B5E54
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C0FA0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C47B0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BAF54
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CC8A0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C8AC0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C53BC
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B2BD0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B2400
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C3348
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C8320
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B8B30
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BFB90
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CA35C
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C2CD8
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729449630
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729444648
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E934
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF7294549FF
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF7294519D4
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729446BDC
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729443FAC
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: String function: 00007FF729445F34 appears 75 times
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: String function: 00007FF729446124 appears 108 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F294474 appears 37 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F2D410C appears 37 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F29CF60 appears 903 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F29419C appears 54 times
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729449630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C5580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C54EC NtQueryInformationToken,NtQueryInformationToken,
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DUI70.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: 2epPHr8ygJ.dllStatic PE information: Number of sections : 50 > 10
            Source: DUI70.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: WTSAPI32.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: UxTheme.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: UxTheme.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: MFC42u.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: OLEACC.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: WTSAPI32.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: 2epPHr8ygJ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 2epPHr8ygJ.dllMetadefender: Detection: 62%
            Source: 2epPHr8ygJ.dllReversingLabs: Detection: 80%
            Source: 2epPHr8ygJ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winDLL@47/17@0/0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29D838 VariantInit,CoCreateInstance,SysAllocString,VariantClear,
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B96F0 LoadLibraryW,GetLastError,FormatMessageW,#1463,CreateWindowExW,GetLastError,FormatMessageW,LocalFree,
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\{6e96cc13-3796-2f23-5ab3-d2d937ee5666}
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\{d2e34cc6-e6aa-6365-5632-f8c3222ca63e}
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C56C4 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree,
            Source: 2epPHr8ygJ.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 2epPHr8ygJ.dllStatic file information: File size 2347008 > 1048576
            Source: 2epPHr8ygJ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qkm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .cvjb
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .tlmkv
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wucsxe
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fltwtj
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .sfplio
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .rpg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .bewzc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .vksvaw
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wmhg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kswemc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kaxfk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wualk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qdxz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .rkyg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .psul
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .pyjm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .eoadme
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fnz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .gwheg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fcd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .dwk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hgy
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .nfm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qmfqd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .buzyfh
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .piwc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .nnrqzz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hycwe
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .unt
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hoj
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .xufjr
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .ukllwd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .dmpewo
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kerz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .skdwx
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .diq
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .cbuheu
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hwca
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .mkabuo
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .vstkx
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .zpzkgm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qkdzqp
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .arp
            Source: WMPDMC.exe.5.drStatic PE information: section name: .didat
            Source: CameraSettingsUIHost.exe.5.drStatic PE information: section name: .imrsiv
            Source: MDMAppInstaller.exe.5.drStatic PE information: section name: .didat
            Source: CameraSettingsUIHost.exe0.5.drStatic PE information: section name: .imrsiv
            Source: MDMAppInstaller.exe0.5.drStatic PE information: section name: .didat
            Source: UxTheme.dll.5.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.5.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.5.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.5.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.5.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll.5.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll.5.drStatic PE information: section name: .rpg
            Source: UxTheme.dll.5.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll.5.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll.5.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll.5.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll.5.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll.5.drStatic PE information: section name: .wualk
            Source: UxTheme.dll.5.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll.5.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll.5.drStatic PE information: section name: .psul
            Source: UxTheme.dll.5.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll.5.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll.5.drStatic PE information: section name: .fnz
            Source: UxTheme.dll.5.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll.5.drStatic PE information: section name: .fcd
            Source: UxTheme.dll.5.drStatic PE information: section name: .dwk
            Source: UxTheme.dll.5.drStatic PE information: section name: .hgy
            Source: UxTheme.dll.5.drStatic PE information: section name: .nfm
            Source: UxTheme.dll.5.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll.5.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll.5.drStatic PE information: section name: .piwc
            Source: UxTheme.dll.5.drStatic PE information: section name: .nnrqzz
            Source: UxTheme.dll.5.drStatic PE information: section name: .hycwe
            Source: UxTheme.dll.5.drStatic PE information: section name: .unt
            Source: UxTheme.dll.5.drStatic PE information: section name: .hoj
            Source: UxTheme.dll.5.drStatic PE information: section name: .xufjr
            Source: UxTheme.dll.5.drStatic PE information: section name: .ukllwd
            Source: UxTheme.dll.5.drStatic PE information: section name: .dmpewo
            Source: UxTheme.dll.5.drStatic PE information: section name: .kerz
            Source: UxTheme.dll.5.drStatic PE information: section name: .skdwx
            Source: UxTheme.dll.5.drStatic PE information: section name: .diq
            Source: UxTheme.dll.5.drStatic PE information: section name: .cbuheu
            Source: UxTheme.dll.5.drStatic PE information: section name: .hwca
            Source: UxTheme.dll.5.drStatic PE information: section name: .mkabuo
            Source: UxTheme.dll.5.drStatic PE information: section name: .vstkx
            Source: UxTheme.dll.5.drStatic PE information: section name: .zpzkgm
            Source: UxTheme.dll.5.drStatic PE information: section name: .qkdzqp
            Source: UxTheme.dll.5.drStatic PE information: section name: .arp
            Source: UxTheme.dll.5.drStatic PE information: section name: .rlm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll.5.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll.5.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll.5.drStatic PE information: section name: .rpg
            Source: OLEACC.dll.5.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll.5.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll.5.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll.5.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll.5.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll.5.drStatic PE information: section name: .wualk
            Source: OLEACC.dll.5.drStatic PE information: section name: .qdxz
            Source: OLEACC.dll.5.drStatic PE information: section name: .rkyg
            Source: OLEACC.dll.5.drStatic PE information: section name: .psul
            Source: OLEACC.dll.5.drStatic PE information: section name: .pyjm
            Source: OLEACC.dll.5.drStatic PE information: section name: .eoadme
            Source: OLEACC.dll.5.drStatic PE information: section name: .fnz
            Source: OLEACC.dll.5.drStatic PE information: section name: .gwheg
            Source: OLEACC.dll.5.drStatic PE information: section name: .fcd
            Source: OLEACC.dll.5.drStatic PE information: section name: .dwk
            Source: OLEACC.dll.5.drStatic PE information: section name: .hgy
            Source: OLEACC.dll.5.drStatic PE information: section name: .nfm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qmfqd
            Source: OLEACC.dll.5.drStatic PE information: section name: .buzyfh
            Source: OLEACC.dll.5.drStatic PE information: section name: .piwc
            Source: OLEACC.dll.5.drStatic PE information: section name: .nnrqzz
            Source: OLEACC.dll.5.drStatic PE information: section name: .hycwe
            Source: OLEACC.dll.5.drStatic PE information: section name: .unt
            Source: OLEACC.dll.5.drStatic PE information: section name: .hoj
            Source: OLEACC.dll.5.drStatic PE information: section name: .xufjr
            Source: OLEACC.dll.5.drStatic PE information: section name: .ukllwd
            Source: OLEACC.dll.5.drStatic PE information: section name: .dmpewo
            Source: OLEACC.dll.5.drStatic PE information: section name: .kerz
            Source: OLEACC.dll.5.drStatic PE information: section name: .skdwx
            Source: OLEACC.dll.5.drStatic PE information: section name: .diq
            Source: OLEACC.dll.5.drStatic PE information: section name: .cbuheu
            Source: OLEACC.dll.5.drStatic PE information: section name: .hwca
            Source: OLEACC.dll.5.drStatic PE information: section name: .mkabuo
            Source: OLEACC.dll.5.drStatic PE information: section name: .vstkx
            Source: OLEACC.dll.5.drStatic PE information: section name: .zpzkgm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkdzqp
            Source: OLEACC.dll.5.drStatic PE information: section name: .arp
            Source: OLEACC.dll.5.drStatic PE information: section name: .cjy
            Source: MFC42u.dll.5.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.5.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.5.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.5.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.5.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.5.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.5.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.5.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.5.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.5.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.5.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.5.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.5.drStatic PE information: section name: .wualk
            Source: MFC42u.dll.5.drStatic PE information: section name: .qdxz
            Source: MFC42u.dll.5.drStatic PE information: section name: .rkyg
            Source: MFC42u.dll.5.drStatic PE information: section name: .psul
            Source: MFC42u.dll.5.drStatic PE information: section name: .pyjm
            Source: MFC42u.dll.5.drStatic PE information: section name: .eoadme
            Source: MFC42u.dll.5.drStatic PE information: section name: .fnz
            Source: MFC42u.dll.5.drStatic PE information: section name: .gwheg
            Source: MFC42u.dll.5.drStatic PE information: section name: .fcd
            Source: MFC42u.dll.5.drStatic PE information: section name: .dwk
            Source: MFC42u.dll.5.drStatic PE information: section name: .hgy
            Source: MFC42u.dll.5.drStatic PE information: section name: .nfm
            Source: MFC42u.dll.5.drStatic PE information: section name: .qmfqd
            Source: MFC42u.dll.5.drStatic PE information: section name: .buzyfh
            Source: MFC42u.dll.5.drStatic PE information: section name: .piwc
            Source: MFC42u.dll.5.drStatic PE information: section name: .nnrqzz
            Source: MFC42u.dll.5.drStatic PE information: section name: .hycwe
            Source: MFC42u.dll.5.drStatic PE information: section name: .unt
            Source: MFC42u.dll.5.drStatic PE information: section name: .hoj
            Source: MFC42u.dll.5.drStatic PE information: section name: .xufjr
            Source: MFC42u.dll.5.drStatic PE information: section name: .ukllwd
            Source: MFC42u.dll.5.drStatic PE information: section name: .dmpewo
            Source: MFC42u.dll.5.drStatic PE information: section name: .kerz
            Source: MFC42u.dll.5.drStatic PE information: section name: .skdwx
            Source: MFC42u.dll.5.drStatic PE information: section name: .diq
            Source: MFC42u.dll.5.drStatic PE information: section name: .cbuheu
            Source: MFC42u.dll.5.drStatic PE information: section name: .hwca
            Source: MFC42u.dll.5.drStatic PE information: section name: .mkabuo
            Source: MFC42u.dll.5.drStatic PE information: section name: .vstkx
            Source: MFC42u.dll.5.drStatic PE information: section name: .zpzkgm
            Source: MFC42u.dll.5.drStatic PE information: section name: .qkdzqp
            Source: MFC42u.dll.5.drStatic PE information: section name: .arp
            Source: MFC42u.dll.5.drStatic PE information: section name: .amu
            Source: DUI70.dll.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.5.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.5.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.5.drStatic PE information: section name: .rpg
            Source: DUI70.dll.5.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.5.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.5.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.5.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.5.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.5.drStatic PE information: section name: .wualk
            Source: DUI70.dll.5.drStatic PE information: section name: .qdxz
            Source: DUI70.dll.5.drStatic PE information: section name: .rkyg
            Source: DUI70.dll.5.drStatic PE information: section name: .psul
            Source: DUI70.dll.5.drStatic PE information: section name: .pyjm
            Source: DUI70.dll.5.drStatic PE information: section name: .eoadme
            Source: DUI70.dll.5.drStatic PE information: section name: .fnz
            Source: DUI70.dll.5.drStatic PE information: section name: .gwheg
            Source: DUI70.dll.5.drStatic PE information: section name: .fcd
            Source: DUI70.dll.5.drStatic PE information: section name: .dwk
            Source: DUI70.dll.5.drStatic PE information: section name: .hgy
            Source: DUI70.dll.5.drStatic PE information: section name: .nfm
            Source: DUI70.dll.5.drStatic PE information: section name: .qmfqd
            Source: DUI70.dll.5.drStatic PE information: section name: .buzyfh
            Source: DUI70.dll.5.drStatic PE information: section name: .piwc
            Source: DUI70.dll.5.drStatic PE information: section name: .nnrqzz
            Source: DUI70.dll.5.drStatic PE information: section name: .hycwe
            Source: DUI70.dll.5.drStatic PE information: section name: .unt
            Source: DUI70.dll.5.drStatic PE information: section name: .hoj
            Source: DUI70.dll.5.drStatic PE information: section name: .xufjr
            Source: DUI70.dll.5.drStatic PE information: section name: .ukllwd
            Source: DUI70.dll.5.drStatic PE information: section name: .dmpewo
            Source: DUI70.dll.5.drStatic PE information: section name: .kerz
            Source: DUI70.dll.5.drStatic PE information: section name: .skdwx
            Source: DUI70.dll.5.drStatic PE information: section name: .diq
            Source: DUI70.dll.5.drStatic PE information: section name: .cbuheu
            Source: DUI70.dll.5.drStatic PE information: section name: .hwca
            Source: DUI70.dll.5.drStatic PE information: section name: .mkabuo
            Source: DUI70.dll.5.drStatic PE information: section name: .vstkx
            Source: DUI70.dll.5.drStatic PE information: section name: .zpzkgm
            Source: DUI70.dll.5.drStatic PE information: section name: .qkdzqp
            Source: DUI70.dll.5.drStatic PE information: section name: .arp
            Source: DUI70.dll.5.drStatic PE information: section name: .burypb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qdxz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rkyg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .psul
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .pyjm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .eoadme
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fnz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .gwheg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fcd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dwk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hgy
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nfm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qmfqd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .buzyfh
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .piwc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nnrqzz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hycwe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .unt
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hoj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .xufjr
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ukllwd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dmpewo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kerz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .skdwx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .diq
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cbuheu
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hwca
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .mkabuo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vstkx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .zpzkgm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkdzqp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .arp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .enn
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.5.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.5.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.5.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.5.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.5.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.5.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.5.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.5.drStatic PE information: section name: .wualk
            Source: DUI70.dll0.5.drStatic PE information: section name: .qdxz
            Source: DUI70.dll0.5.drStatic PE information: section name: .rkyg
            Source: DUI70.dll0.5.drStatic PE information: section name: .psul
            Source: DUI70.dll0.5.drStatic PE information: section name: .pyjm
            Source: DUI70.dll0.5.drStatic PE information: section name: .eoadme
            Source: DUI70.dll0.5.drStatic PE information: section name: .fnz
            Source: DUI70.dll0.5.drStatic PE information: section name: .gwheg
            Source: DUI70.dll0.5.drStatic PE information: section name: .fcd
            Source: DUI70.dll0.5.drStatic PE information: section name: .dwk
            Source: DUI70.dll0.5.drStatic PE information: section name: .hgy
            Source: DUI70.dll0.5.drStatic PE information: section name: .nfm
            Source: DUI70.dll0.5.drStatic PE information: section name: .qmfqd
            Source: DUI70.dll0.5.drStatic PE information: section name: .buzyfh
            Source: DUI70.dll0.5.drStatic PE information: section name: .piwc
            Source: DUI70.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: DUI70.dll0.5.drStatic PE information: section name: .hycwe
            Source: DUI70.dll0.5.drStatic PE information: section name: .unt
            Source: DUI70.dll0.5.drStatic PE information: section name: .hoj
            Source: DUI70.dll0.5.drStatic PE information: section name: .xufjr
            Source: DUI70.dll0.5.drStatic PE information: section name: .ukllwd
            Source: DUI70.dll0.5.drStatic PE information: section name: .dmpewo
            Source: DUI70.dll0.5.drStatic PE information: section name: .kerz
            Source: DUI70.dll0.5.drStatic PE information: section name: .skdwx
            Source: DUI70.dll0.5.drStatic PE information: section name: .diq
            Source: DUI70.dll0.5.drStatic PE information: section name: .cbuheu
            Source: DUI70.dll0.5.drStatic PE information: section name: .hwca
            Source: DUI70.dll0.5.drStatic PE information: section name: .mkabuo
            Source: DUI70.dll0.5.drStatic PE information: section name: .vstkx
            Source: DUI70.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: DUI70.dll0.5.drStatic PE information: section name: .arp
            Source: DUI70.dll0.5.drStatic PE information: section name: .bzhioz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qkm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll0.5.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll0.5.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll0.5.drStatic PE information: section name: .rpg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wualk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .psul
            Source: UxTheme.dll0.5.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fnz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fcd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dwk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hgy
            Source: UxTheme.dll0.5.drStatic PE information: section name: .nfm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll0.5.drStatic PE information: section name: .piwc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hycwe
            Source: UxTheme.dll0.5.drStatic PE information: section name: .unt
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hoj
            Source: UxTheme.dll0.5.drStatic PE information: section name: .xufjr
            Source: UxTheme.dll0.5.drStatic PE information: section name: .ukllwd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dmpewo
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kerz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .skdwx
            Source: UxTheme.dll0.5.drStatic PE information: section name: .diq
            Source: UxTheme.dll0.5.drStatic PE information: section name: .cbuheu
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hwca
            Source: UxTheme.dll0.5.drStatic PE information: section name: .mkabuo
            Source: UxTheme.dll0.5.drStatic PE information: section name: .vstkx
            Source: UxTheme.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: UxTheme.dll0.5.drStatic PE information: section name: .arp
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dtzmlx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qdxz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rkyg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .psul
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .pyjm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .eoadme
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fnz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .gwheg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fcd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .dwk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hgy
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .nfm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qmfqd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .buzyfh
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .piwc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hycwe
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .unt
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hoj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .xufjr
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ukllwd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .dmpewo
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kerz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .skdwx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .diq
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .cbuheu
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hwca
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .mkabuo
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vstkx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .arp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fvbg
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress,
            Source: DUI70.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x290845
            Source: 2epPHr8ygJ.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x244206
            Source: DUI70.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x28c253
            Source: WTSAPI32.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x23e442
            Source: UxTheme.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x240d62
            Source: UxTheme.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x244584
            Source: MFC42u.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x250c17
            Source: OLEACC.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x24602e
            Source: WTSAPI32.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x23f518
            Source: msdt.exe.5.drStatic PE information: 0xFF860234 [Fri Nov 6 17:41:08 2105 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\29qb\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YVP8cq\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n7Is\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n7Is\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\p1G0zp\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1327020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow,
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CAD40 SetForegroundWindow,IsIconic,#6632,
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exe TID: 6108Thread sleep count: 34 > 30
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,
            Source: explorer.exe, 00000005.00000000.356856219.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATA
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729442890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BC070 GetProcessHeap,HeapFree,
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D5E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D6140 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13DA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CF570 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CF960 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeCode function: 31_2_00007FF7EAC335B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeCode function: 31_2_00007FF7EAC33330 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729453DF0 SetUnhandledExceptionFilter,
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729453BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: UxTheme.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29FF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError,
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.340115746.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BA0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B9BE4 GetSystemTime,
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132C718 memset,GetVersionExW,
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F297970 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Native API1Valid Accounts1Valid Accounts1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsExploitation for Privilege Escalation11Valid Accounts1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Access Token Manipulation1Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection313Access Token Manipulation1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection313LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing2/etc/passwd and /etc/shadowSystem Information Discovery35Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492879 Sample: 2epPHr8ygJ Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 53 Changes memory attributes in foreign processes to executable or writable 10->53 55 Uses Atom Bombing / ProGate to inject into other processes 10->55 57 Queues an APC in another process (thread injection) 10->57 19 explorer.exe 3 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 13 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 51 Accesses ntoskrnl, likely to find offsets for exploits 19->51 25 CameraSettingsUIHost.exe 19->25         started        27 FXSCOVER.exe 19->27         started        29 WMPDMC.exe 19->29         started        31 11 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2epPHr8ygJ.dll63%MetadefenderBrowse
            2epPHr8ygJ.dll80%ReversingLabsWin64.Infostealer.Dridex
            2epPHr8ygJ.dll100%AviraHEUR/AGEN.1114452
            2epPHr8ygJ.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\29qb\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\29qb\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\29qb\FXSCOVER.exe0%ReversingLabs
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe0%ReversingLabs
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            18.2.msdt.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.WMPDMC.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            33.2.MDMAppInstaller.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            31.2.CameraSettingsUIHost.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.FXSCOVER.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492879
            Start date:29.09.2021
            Start time:04:16:18
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 16m 31s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:2epPHr8ygJ (renamed file extension from none to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:41
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.expl.evad.winDLL@47/17@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 25.3% (good quality ratio 14.2%)
            • Quality average: 42%
            • Quality standard deviation: 42.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Override analysis time to 240s for rundll32
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.5.146, 23.211.6.115, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.50.102.62, 52.168.117.173, 204.79.197.200, 13.107.21.200
            • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, onedsblobprdeus16.eastus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/492879/sample/2epPHr8ygJ.dll

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):5.805361894084464
            Encrypted:false
            SSDEEP:6144:v4J/ihC4Tb5//JfI+QL+ooODUwq306Q/:v4khC4h/qiooT06Q/
            MD5:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            SHA1:EAF18190494496329573CAA3F95CACA6EF0FB6F6
            SHA-256:E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
            SHA-512:FF4E756B1D928C97523ADE2B30FAB56219659AA22E7F5D71CB3238A2C39E1C704C6A046C2DC14FA5207CE8E8C75CD7EF5416B36A1452D97D929A5686C75D2C83
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).I.H...H...H...,...H...,...H...,...H...,...H...H...K...,...H...,...H...,...H..Rich.H..................PE..d.....3..........."............................@.....................................0....`.......... ..................................................h1...`..........................T....................c..(....b...............d...............................text...~........................... ..`.rdata....... ......................@..@.data........@.......&..............@....pdata.......`.......6..............@..@.rsrc...h1.......2...N..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\29qb\MFC42u.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2375680
            Entropy (8bit):3.307144052468244
            Encrypted:false
            SSDEEP:12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1B:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnbB
            MD5:398142F4F319978D81B066C4B32612FD
            SHA1:5FCECC4283DA8E1E2EB206CEFECC9D13357A7D8F
            SHA-256:CDDB19126576C0D00777D57CA3344C2EBA8CECE763FC2452E809CF5A4364D63B
            SHA-512:D1DFB588830C8B22EC1331F800C106ED478C105B8ABD2AA566F73A6D703967B80F073187538E5D4877EB6E233750516807996F2F35D3663BDB8E7DE31129C63A
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ......... .....p..........@.............................@$.....@lx}..b...........................................#..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2633728
            Entropy (8bit):3.8005044128188974
            Encrypted:false
            SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1CU:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbC
            MD5:A4D0716F7F499CCCF83BA8E0FB29D4E2
            SHA1:CA00387B979B614425C60DF845F9F87AD1EDDBB1
            SHA-256:20A3D3BB83BCE7336E9D31B92299C61E79DFC815B4A3C37DE32B7E1614C1EF0C
            SHA-512:6BF8425A1ED939CE9E5E219A90918941F56BF0F6413020099F936B4827B7AD9BBBDF579CEBB10597B8452142EA8023BC5140D4154E9A609926CD0C5171D3C7C1
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ..........$.....p..........@.............................0(.....@lx}..b...........................................#.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):145920
            Entropy (8bit):5.742854541048038
            Encrypted:false
            SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
            MD5:E2C777B6E3CE4C15C5657429A63787A3
            SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
            SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
            SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.27294767517255
            Encrypted:false
            SSDEEP:12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:8DB032A6D9DDD2BAA3ED320CEF8C2A08
            SHA1:2A5CCB19D2ADA45A32D72AEFAA414AABB6CF5446
            SHA-256:CB603FEBEACCBAE1DD74906F57812816870BB6C1EE761896196BE34C1F7F6D3E
            SHA-512:6090358986F74FDFD82EC3446108355380877278D260126E5806873387C26D216CEE8EA2975FCD58468F4E10F1699B21129E7503BC90006468C00ACE15EB056B
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2683033173933906
            Encrypted:false
            SSDEEP:12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Y:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnbY
            MD5:982EC567CB31453D1E35B04D8409B52D
            SHA1:D69502DF46D30A78D23E04E137773E62371093A8
            SHA-256:C19021A9DBF344BDDACAE9829C9000721D2D628D18BD1B5026D9871BAACC01C1
            SHA-512:951AE537DF79D2619B34CB16F1D91E8D3B4C0531A24B1F780B9E04FA36A6573290FC599A04D5E3B4AEAECDC7DED6AC847DFBBF10C92A26B5AB9C286870B3B109
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1517568
            Entropy (8bit):6.62150533612437
            Encrypted:false
            SSDEEP:24576:esSffc55l2PlDph6LYq3BRf6Te8+n3wAJF1/Mk+F6uwY6V0qRr8kmHVJZh/u:cct2PpphUlxRn3wAblMk+F6+6S2r8/Hu
            MD5:4085FDA375E50214142BD740559F5835
            SHA1:22D548F1E0F4832AAEE3D983A156FDABD3021DA4
            SHA-256:93F61516B7FD3CE8F1E97F25B760BDF62AE58CC7714B559FEFC2C75AD1130804
            SHA-512:7712F8E551D475A9D2FF3BED9992A2B3D53AB01F61DCB7313320181F9EB6B5B84558CCA45AE95150267128C8B228F806F869157B7F4961755076DD83F02E3BDF
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..................-......*......+....../...../.A.....'.X...........,....Rich...................PE..d...D..9.........."................. ..........@..........................................`.......... ............................................... ..x.......l............0...S..`Y..T....................G..(....F..............8G...............................text.............................. ..`.rdata..Pg.......h..................@..@.data...p=...@.......,..............@....pdata..l............D..............@..@.didat..............................@....rsrc...x.... ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\YVP8cq\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2633728
            Entropy (8bit):3.800299841930037
            Encrypted:false
            SSDEEP:12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dxU:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnbX
            MD5:17E828A46EC95B705ACB6C84AB94B185
            SHA1:72EC4302A7294E85E1D9056104EC79707B442D71
            SHA-256:486A5F4F055BDBD3F7BD24EAB732B3FD0442546D7B92465A5390C54B2BDBE5A1
            SHA-512:ABAEDD3967C43F6CD4C28D65781ED9B66F983DE2ECC82B78FA33F6D1F8AFAAB5F0C2E1D0063F90304F9BE59561757C8EA0CB838164CA3F7D9AA9FE90E158B447
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ..........$.....p..........@.............................0(.....@lx}..b...........................................#.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2750663836012137
            Encrypted:false
            SSDEEP:12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:736A10FD3C6CE99CFBF1C6ABBD831EC0
            SHA1:14DDC140087E71EA3D09E0D7BBA3D28CDD3A84C9
            SHA-256:C2B9B1D0F44BAB227E9A96EF8FB2C274EBE4952C1684F78E829E6569A591E8E0
            SHA-512:18B9C044A61CF7D52F503056B2EEF7F9EEB15C781319247C11E8E5049D5BAA8B5940AE3115B8220C32741CF3DA9018EC3343E12D0F1A4BB05822313DC3E05F2B
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1560576
            Entropy (8bit):6.10038070749878
            Encrypted:false
            SSDEEP:24576:tnPfp054tZwxDl6XH4qvIReK1odddGdBnyE0k26kVZnBm:VC4tAqNK7utRB
            MD5:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            SHA1:F2C9EB38775B91C4DE45AA25CDDDB86F5F056BF5
            SHA-256:BD59B4362F8590C5009B28830FF11B339B37FF142FB873204368905A9C843A08
            SHA-512:B30BDD7C3B71D58140F642196D5E44ED4C8B11A35DB65D37414C49F7FE64DD0C63DDEE4A0FDF5E75BB0BEB69FE0AA1D609C252F05D5661E7DCD4B6A4274151C7
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..eo..6o..6o..6...7m..6...7q..6...7@..6o..6...6...7\..6...7k..6..X6n..6...7n..6Richo..6................PE..d...4............."......b...r.......].........@...................................._.....`.......... ............................................... ..P........"...................^..T............................................................................text....`.......b.................. ..`.rdata...^.......`...f..............@..@.data...p...........................@....pdata...".......$..................@..@.rsrc...P.... ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\n7Is\SnippingTool.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):3292160
            Entropy (8bit):4.311007815185121
            Encrypted:false
            SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
            MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
            SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
            SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
            SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\n7Is\UxTheme.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2750673255668703
            Encrypted:false
            SSDEEP:12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:C401C2CF9605DA0077E39E9FD982AAB2
            SHA1:41591B2FECD88829322510FCBE2FF086DEAF2152
            SHA-256:ACF6D1FFB4192FB21AB2BB66F3A4B308D663C50A9DF0C6DD7E3AB85CB1D6AAC4
            SHA-512:58D1A313B0E465FA0E8AF80A52F5E889234DAC96CDE712AFEF2AD72EE66A88B9D682E6D59F86F05048ECB02C77DFF7E97A24A28C5692E823D14617992B3DA11A
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):145920
            Entropy (8bit):5.742854541048038
            Encrypted:false
            SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
            MD5:E2C777B6E3CE4C15C5657429A63787A3
            SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
            SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
            SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\p1G0zp\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2729222229531643
            Encrypted:false
            SSDEEP:12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:1DCCF5FE0D84A190E5BF899F8A7B9756
            SHA1:57D56E0B17572DB5567A024D8CB98262274D1A78
            SHA-256:8FD2ECE82FD5D6F8C7A30750244B6D807EE6F9070041C9AACC23744F91CC4D82
            SHA-512:D2E4ED5961F911C1820D06627EEFDA63405B12778BBDBACB513701BDEEB65174C6C01B16D61545BA41DD77E1103DD3DF722F77527506211ECA4A05CD531403A5
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:dropped
            Size (bytes):4442
            Entropy (8bit):5.472108940713795
            Encrypted:false
            SSDEEP:48:FvsFUX4yDNOP9rabqEYMlyArpk4Bg+V0vsFUS7lpYic2GgRyH55/ih3JG:FvsFLyROVWbyoq4aq0vsF/YiVMZ5//
            MD5:D00E62BE1032486720C1432BA5ACB4A0
            SHA1:380D71B17E1B328A1A78D0A19611FD83FC828209
            SHA-256:DF84CB1D13B859AE2B0E609DB35D9323906348008DAB0EFB2189ED8EE092796F
            SHA-512:0CC14D07D7683706545CFCA3D5912B0AA8528EB26B227BD727A9F028F791EAF0E664C774F3A455D7D1D8283AD9788458AF18219DE7FF848907D1C4BC3B4658D1
            Malicious:false
            Reputation:unknown
            Preview: ........................................user.........................................user.....................RSA1..................d......5(...-.R4.....D.#.=..m..)J..........q<.L4.qm.T^....]0,I...m=.....B...!.#W.RN.l.1A..N..<.1..w.lh%.%B.l.......|.....................z..O......A\..1..F..:M...F....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....M..u....yJ..?.>..{.../.t;...f............ ...,......o.0...z...m4...*..Q.L......&.h...l........mmD.=.om 5.\9./...y.Z.;.M.....!.g.<_..Af(.Vvh...4z.YK!...Y3.U.....]......yiX.P..D....KW1...vV./....(.Wm..ui*.$..x&.YDP!z..R.j.x....Cl.3.../(8.p.j...3u....).....lK.Ja...f...R.U..3.A8...r....00o....\..._.<..\q..}.(.G/..P.....2@..XE.Y.sR....!.NY...M].......8.M..SW......}/...P.U..U....Z.Mx.......$..R.nqK\}%..&#...Ti.EoR.}7G]w.%1...#.Vx.*.|V7X.u..U.,P..qi.#[....G.Yu8.<..=..h...#b.~..3d]......J..R..>..6...~.C[V."...+..L....inM.l~...._...f.I........5h\.`....m..$6.f.e..T6....)...j.j.X%.s...Ef.S..6..uj...1l.._

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):3.2709448630625264
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:2epPHr8ygJ.dll
            File size:2347008
            MD5:31058530a762dc9f9bb34d28203f5314
            SHA1:28c5d0fc080868ebb37050a565796f19a48eee87
            SHA256:2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
            SHA512:25d0a92ea515cd45e6a9dac030e39a30e72a64cf7eb6473daa35ad7cf5bc9db272c7511bd2675907091a8f06993d15511c9d13bf1d60edbf221629c235e57282
            SSDEEP:12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x140041070
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:6668be91e2c948b183827f040944057f

            Entrypoint Preview

            Instruction
            dec eax
            xor eax, eax
            dec eax
            add eax, 5Ah
            dec eax
            mov dword ptr [00073D82h], ecx
            dec eax
            lea ecx, dword ptr [FFFFECABh]
            dec eax
            mov dword ptr [00073D7Ch], edx
            dec eax
            add eax, ecx
            dec esp
            mov dword ptr [00073D92h], ecx
            dec esp
            mov dword ptr [00073DA3h], ebp
            dec esp
            mov dword ptr [00073D7Ch], eax
            dec esp
            mov dword ptr [00073D85h], edi
            dec esp
            mov dword ptr [00073D86h], esi
            dec esp
            mov dword ptr [00073D8Fh], esp
            dec eax
            mov ecx, eax
            dec eax
            sub ecx, 5Ah
            dec eax
            mov dword ptr [00073D89h], esi
            dec eax
            test eax, eax
            je 00007F439494D61Fh
            dec eax
            mov dword ptr [00073D45h], esp
            dec eax
            mov dword ptr [00073D36h], ebp
            dec eax
            mov dword ptr [00073D7Fh], ebx
            dec eax
            mov dword ptr [00073D70h], edi
            dec eax
            test eax, eax
            je 00007F439494D5FEh
            jmp ecx
            dec eax
            add edi, ecx
            dec eax
            mov dword ptr [FFFFEC37h], ecx
            dec eax
            xor ecx, eax
            jmp ecx
            retn 0008h
            ud2
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ebx
            dec eax
            sub esp, 00000080h
            mov eax, F957B016h
            mov byte ptr [esp+7Fh], 00000037h
            mov edx, dword ptr [esp+78h]
            inc ecx
            mov eax, edx
            inc ecx
            or eax, 5D262B0Ch
            inc esp
            mov dword ptr [esp+78h], eax
            dec eax
            mov dword ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [LNK] VS2012 UPD4 build 61030
            • [ASM] VS2013 UPD2 build 30501
            • [ C ] VS2012 UPD2 build 60315
            • [C++] VS2013 UPD4 build 31101
            • [RES] VS2012 UPD3 build 60610
            • [LNK] VS2017 v15.5.4 build 25834
            • [ C ] VS2017 v15.5.4 build 25834
            • [ASM] VS2010 build 30319
            • [EXP] VS2015 UPD1 build 23506
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD2 build 60315
            • [C++] VS2015 UPD1 build 23506
            • [ C ] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x23c0100x12e.arp
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x420000x64fd00x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wualk0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qdxz0x1600000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rkyg0x1610000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .psul0x1620000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pyjm0x1630000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .eoadme0x1640000x7fd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fnz0x1650000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .gwheg0x1660000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fcd0x1ac0000x3220x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .dwk0x1ad0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hgy0x1ae0000xae70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nfm0x1af0000x46e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qmfqd0x1b00000xd570x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .buzyfh0x1b10000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .piwc0x1b20000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nnrqzz0x1b30000x337310x34000False0.0010751577524data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hycwe0x1e70000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .unt0x1e80000xf90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hoj0x1e90000x1030x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .xufjr0x1ea0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ukllwd0x1eb0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .dmpewo0x1ec0000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kerz0x1ed0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .skdwx0x1ee0000x8960x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .diq0x1ef0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cbuheu0x1f10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hwca0x1f20000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .mkabuo0x2380000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vstkx0x2390000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .zpzkgm0x23a0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qkdzqp0x23b0000x21b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .arp0x23c0000x13e0x1000False0.046142578125data0.648489048708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xc00a00x370dataEnglishUnited States
            RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
            SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
            KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
            GDI32.dllCreateBitmapIndirect, GetPolyFillMode
            CRYPT32.dllCertGetCTLContextProperty
            ADVAPI32.dllAddAccessDeniedObjectAce
            SHLWAPI.dllChrCmpIW

            Exports

            NameOrdinalAddress
            CreateXmlReader10x140008798
            CreateXmlReaderInputWithEncodingCodePage20x140020784
            CreateXmlReaderInputWithEncodingName30x14002bc1c
            CreateXmlWriter40x140029708
            CreateXmlWriterOutputWithEncodingCodePage50x14001c9ec
            CreateXmlWriterOutputWithEncodingName60x14003a458

            Version Infos

            DescriptionData
            LegalCopyright Microsoft Corporation. All rights reserv
            InternalNamebitsp
            FileVersion7.5.7600.16385 (win7_rtm.090713-
            CompanyNameMicrosoft Corporati
            ProductNameMicrosoft Windows Operating S
            ProductVersion6.1.7600
            FileDescriptionBackground Intellig
            OriginalFilenamekbdy
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 29, 2021 04:17:06.724128008 CEST5860453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:06.754452944 CEST53586048.8.8.8192.168.2.3
            Sep 29, 2021 04:17:07.487791061 CEST5166853192.168.2.38.8.8.8
            Sep 29, 2021 04:17:07.518738031 CEST53516688.8.8.8192.168.2.3
            Sep 29, 2021 04:17:09.690196037 CEST5220653192.168.2.38.8.8.8
            Sep 29, 2021 04:17:09.717344046 CEST53522068.8.8.8192.168.2.3
            Sep 29, 2021 04:17:35.525028944 CEST5684453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:35.545466900 CEST53568448.8.8.8192.168.2.3
            Sep 29, 2021 04:17:57.420173883 CEST5804553192.168.2.38.8.8.8
            Sep 29, 2021 04:17:57.453303099 CEST53580458.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.125361919 CEST5745953192.168.2.38.8.8.8
            Sep 29, 2021 04:17:58.144586086 CEST53574598.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.614105940 CEST5787553192.168.2.38.8.8.8
            Sep 29, 2021 04:17:58.655271053 CEST53578758.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.987204075 CEST5415453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.023452044 CEST53541548.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.249288082 CEST5280653192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.268824100 CEST53528068.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.490173101 CEST5391053192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.507291079 CEST53539108.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.565119982 CEST6402153192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.587596893 CEST53640218.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.663503885 CEST6078453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.689112902 CEST53607848.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.966314077 CEST5114353192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.985924959 CEST53511438.8.8.8192.168.2.3
            Sep 29, 2021 04:18:00.483161926 CEST5600953192.168.2.38.8.8.8
            Sep 29, 2021 04:18:00.525046110 CEST53560098.8.8.8192.168.2.3
            Sep 29, 2021 04:18:01.174349070 CEST5902653192.168.2.38.8.8.8
            Sep 29, 2021 04:18:01.195708036 CEST53590268.8.8.8192.168.2.3
            Sep 29, 2021 04:18:01.960509062 CEST4957253192.168.2.38.8.8.8
            Sep 29, 2021 04:18:01.984606028 CEST53495728.8.8.8192.168.2.3
            Sep 29, 2021 04:18:02.354680061 CEST6082353192.168.2.38.8.8.8
            Sep 29, 2021 04:18:02.374551058 CEST53608238.8.8.8192.168.2.3
            Sep 29, 2021 04:18:17.424494982 CEST5213053192.168.2.38.8.8.8
            Sep 29, 2021 04:18:17.447173119 CEST53521308.8.8.8192.168.2.3
            Sep 29, 2021 04:18:51.252121925 CEST5510253192.168.2.38.8.8.8
            Sep 29, 2021 04:18:51.285401106 CEST53551028.8.8.8192.168.2.3
            Sep 29, 2021 04:19:28.960732937 CEST5623653192.168.2.38.8.8.8
            Sep 29, 2021 04:19:28.988595963 CEST53562368.8.8.8192.168.2.3
            Sep 29, 2021 04:19:52.368725061 CEST5652753192.168.2.38.8.8.8
            Sep 29, 2021 04:19:52.388040066 CEST53565278.8.8.8192.168.2.3
            Sep 29, 2021 04:19:59.085726976 CEST4955953192.168.2.38.8.8.8
            Sep 29, 2021 04:19:59.120529890 CEST53495598.8.8.8192.168.2.3

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6180 Parent PID: 1140

            General

            Start time:04:17:15
            Start date:29/09/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll'
            Imagebase:0x7ff7904b0000
            File size:1136128 bytes
            MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:moderate

            Analysis Process: cmd.exe PID: 6256 Parent PID: 6180

            General

            Start time:04:17:15
            Start date:29/09/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Imagebase:0x7ff6da2c0000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 4524 Parent PID: 6180

            General

            Start time:04:17:16
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.394275962.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 4364 Parent PID: 6256

            General

            Start time:04:17:16
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.294861665.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: explorer.exe PID: 3352 Parent PID: 4524

            General

            Start time:04:17:17
            Start date:29/09/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 2528 Parent PID: 6180

            General

            Start time:04:17:19
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 1012 Parent PID: 6180

            General

            Start time:04:17:23
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: msdt.exe PID: 5044 Parent PID: 3352

            General

            Start time:04:18:05
            Start date:29/09/2021
            Path:C:\Windows\System32\msdt.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\msdt.exe
            Imagebase:0x7ff783610000
            File size:1560576 bytes
            MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: msdt.exe PID: 4768 Parent PID: 3352

            General

            Start time:04:18:07
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Imagebase:0x7ff68f290000
            File size:1560576 bytes
            MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: WMPDMC.exe PID: 5144 Parent PID: 3352

            General

            Start time:04:18:18
            Start date:29/09/2021
            Path:C:\Windows\System32\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WMPDMC.exe
            Imagebase:0x7ff7ccb30000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: WMPDMC.exe PID: 4864 Parent PID: 3352

            General

            Start time:04:18:19
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Imagebase:0x7ff6a1300000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.451585055.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: FXSCOVER.exe PID: 1752 Parent PID: 3352

            General

            Start time:04:18:31
            Start date:29/09/2021
            Path:C:\Windows\System32\FXSCOVER.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\FXSCOVER.exe
            Imagebase:0x7ff7d1710000
            File size:232960 bytes
            MD5 hash:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: FXSCOVER.exe PID: 5664 Parent PID: 3352

            General

            Start time:04:18:37
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Imagebase:0x7ff74c9b0000
            File size:232960 bytes
            MD5 hash:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.489814069.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, ReversingLabs

            Analysis Process: SystemPropertiesAdvanced.exe PID: 4636 Parent PID: 3352

            General

            Start time:04:18:49
            Start date:29/09/2021
            Path:C:\Windows\System32\SystemPropertiesAdvanced.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SystemPropertiesAdvanced.exe
            Imagebase:0x7ff755020000
            File size:83968 bytes
            MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: CameraSettingsUIHost.exe PID: 5424 Parent PID: 3352

            General

            Start time:04:18:50
            Start date:29/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff716360000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: CameraSettingsUIHost.exe PID: 6136 Parent PID: 3352

            General

            Start time:04:18:54
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Imagebase:0x7ff7eac30000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.526607967.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: MDMAppInstaller.exe PID: 6636 Parent PID: 3352

            General

            Start time:04:19:07
            Start date:29/09/2021
            Path:C:\Windows\System32\MDMAppInstaller.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\MDMAppInstaller.exe
            Imagebase:0x7ff772c80000
            File size:145920 bytes
            MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: MDMAppInstaller.exe PID: 5904 Parent PID: 3352

            General

            Start time:04:19:08
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Imagebase:0x7ff729440000
            File size:145920 bytes
            MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Analysis Process: SystemPropertiesComputerName.exe PID: 388 Parent PID: 3352

            General

            Start time:04:19:20
            Start date:29/09/2021
            Path:C:\Windows\System32\SystemPropertiesComputerName.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SystemPropertiesComputerName.exe
            Imagebase:0x7ff6ea710000
            File size:83968 bytes
            MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: eudcedit.exe PID: 1132 Parent PID: 3352

            General

            Start time:04:19:21
            Start date:29/09/2021
            Path:C:\Windows\System32\eudcedit.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\eudcedit.exe
            Imagebase:0x7ff77e6d0000
            File size:353280 bytes
            MD5 hash:0ED10F2F98B80FF9F95EED2B04CFA076
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Analysis Process: CameraSettingsUIHost.exe PID: 2984 Parent PID: 3352

            General

            Start time:04:19:21
            Start date:29/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff716360000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Disassembly

            Code Analysis

            Reset < >