Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dry.dll

Overview

General Information

Sample Name:dry.dll
Analysis ID:575240
MD5:4bec705de3584b911018c84f31659a17
SHA1:b29ff37578ef950b702ec5db59161294c2e1a7b3
SHA256:13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635
Tags:dlldridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Contains functionality to inject code into remote processes
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6572 cmdline: loaddll64.exe "C:\Users\user\Desktop\dry.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6612 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4484 cmdline: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5792 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • consent.exe (PID: 4904 cmdline: C:\Windows\system32\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • consent.exe (PID: 3576 cmdline: C:\Users\user\AppData\Local\DLKXiO\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • SysResetErr.exe (PID: 4676 cmdline: C:\Windows\system32\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • SysResetErr.exe (PID: 2064 cmdline: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe MD5: 6A3F2F3C36FE45A87E3BFA80B6D92E07)
        • consent.exe (PID: 6440 cmdline: C:\Windows\system32\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • consent.exe (PID: 4740 cmdline: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe MD5: 74D31E4F51873160D91B1F80E0C472D0)
        • rdpshell.exe (PID: 6520 cmdline: C:\Windows\system32\rdpshell.exe MD5: 4994A0ADA359924026FE631E54FC7A5D)
        • cmstp.exe (PID: 4628 cmdline: C:\Windows\system32\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)
        • cmstp.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\y1c6p\cmstp.exe MD5: 2A9828E0C405422D166E0141054A04B3)
        • DWWIN.EXE (PID: 5392 cmdline: C:\Windows\system32\DWWIN.EXE MD5: 3C21F944D5FF44E45BC753919F6AE445)
        • DWWIN.EXE (PID: 4336 cmdline: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE MD5: 3C21F944D5FF44E45BC753919F6AE445)
        • sppsvc.exe (PID: 5788 cmdline: C:\Windows\system32\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • sppsvc.exe (PID: 5012 cmdline: C:\Users\user\AppData\Local\GsjW\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • SndVol.exe (PID: 3156 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 5664 cmdline: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
    • rundll32.exe (PID: 568 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5456 cmdline: rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmpcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
    • 0x37e93:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
    00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
      • 0x37e93:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
      00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        Click to see the 13 entries
        SourceRuleDescriptionAuthorStrings
        4.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          4.2.rundll32.exe.7ffc68290000.2.unpackcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
          • 0x38293:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
          8.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            8.2.rundll32.exe.7ffc68290000.2.unpackcrime_win64_dridex_bot_hookDetects latest Dridex bot hook@VK_Intel
            • 0x38293:$code: E8 38 5D 00 00 8B 5C 24 5C 48 8D 95 70 01 00 00 44 2B F3 48 8D 4D 70 41 B8 04 00 00 00 41 83 EE 05 44 89 B5 70 01 00 00 E8 10 5D 00 00 BA CD 9C FF 56 B9 CB 69 E2 6A 8B F3 48 89 5D A8 48 C7 45 ...
            3.2.rundll32.exe.7ffc68290000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              Click to see the 13 entries

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6612, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\dry.dll",#1, ProcessId: 4484

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: dry.dllVirustotal: Detection: 70%Perma Link
              Source: dry.dllMetadefender: Detection: 55%Perma Link
              Source: dry.dllReversingLabs: Detection: 82%
              Source: dry.dllAvira: detected
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
              Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
              Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
              Source: dry.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dllJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9CF6C VirtualAlloc,GetLastError,BCryptCreateHash,ReadProcessMemory,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,VirtualFree,BCryptFinishHash,BCryptDestroyHash,GetLastError,30_2_00007FF7EAE9CF6C
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE9D15C BCryptCreateHash,_wcsnicmp,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,30_2_00007FF7EAE9D15C
              Source: dry.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: consent.pdb source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: FFgnji|RgnjiR.pdb source: SysResetErr.exe, 0000000F.00000002.410461412.00000204E63D7000.00000004.00000020.00020000.00000000.sdmp, SysResetErr.exe, 0000000F.00000002.410154109.00000204E622E000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448408637.0000016FCD5A2000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448269347.0000016FCD449000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.476969443.0000025594C81000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.477066927.0000025594DE1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513393199.0000029561289000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513278214.0000029561127000.00000004.00000020.00020000.00000000.sdmp, dry.dll, VERSION.dll.5.dr, VERSION.dll0.5.dr, UxTheme.dll.5.dr, WINSTA.dll.5.dr, DUI70.dll.5.dr, XmlLite.dll.5.dr, WMsgAPI.dll.5.dr
              Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: Binary string: dwwin.pdbGCTL source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: cmstp.pdb source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
              Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
              Source: Binary string: dwwin.pdb source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
              Source: Binary string: consent.pdbUGP source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
              Source: Binary string: SndVol.pdb source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
              Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EDBE0 FindFirstFileExW,0_2_00007FFC682EDBE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3DBE0 FindFirstFileExW,15_2_00007FFC67E3DBE0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F871E0 memset,GetPrivateProfileStringW,FindFirstFileW,wcscmp,memset,FindNextFileW,27_2_00007FF768F871E0
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FF768F84008 memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,lstrlenW,CmMalloc,CmFree,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,27_2_00007FF768F84008
              Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exeCode function: 27_2_00007FFC6E2EDBE0 FindFirstFileExW,27_2_00007FFC6E2EDBE0
              Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXECode function: 30_2_00007FF7EAE96678 memset,StrStrIW,GetLogicalDriveStringsW,QueryDosDeviceW,StrStrIW,30_2_00007FF7EAE96678
              Source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.drString found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio
              Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

              System Summary

              barindex
              Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects latest Dridex bot hook Author: @VK_Intel
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: sppsvc.exe.5.drStatic PE information: section name: ?g_Encry
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exeJump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exeJump to behavior
              Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPEMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DB1200_2_00007FFC682DB120
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C39400_2_00007FFC682C3940
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D89900_2_00007FFC682D8990
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B61900_2_00007FFC682B6190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C43100_2_00007FFC682C4310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682ECC900_2_00007FFC682ECC90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F66100_2_00007FFC682F6610
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682D7EA00_2_00007FFC682D7EA0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FBF200_2_00007FFC682FBF20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E1FE00_2_00007FFC682E1FE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B58F00_2_00007FFC682B58F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FA0E00_2_00007FFC682FA0E0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BD0E00_2_00007FFC682BD0E0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682918D00_2_00007FFC682918D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F59100_2_00007FFC682F5910
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B31100_2_00007FFC682B3110
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829B1000_2_00007FFC6829B100
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F99700_2_00007FFC682F9970
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B39600_2_00007FFC682B3960
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BA9600_2_00007FFC682BA960
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BE9500_2_00007FFC682BE950
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682CE1900_2_00007FFC682CE190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EE1900_2_00007FFC682EE190
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FB1800_2_00007FFC682FB180
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682929800_2_00007FFC68292980
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F19C00_2_00007FFC682F19C0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B22100_2_00007FFC682B2210
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F32700_2_00007FFC682F3270
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F72600_2_00007FFC682F7260
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E3A500_2_00007FFC682E3A50
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B2A500_2_00007FFC682B2A50
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68297A400_2_00007FFC68297A40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C82B00_2_00007FFC682C82B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F6AB00_2_00007FFC682F6AB0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AFAB00_2_00007FFC682AFAB0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C0AF00_2_00007FFC682C0AF0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B52D00_2_00007FFC682B52D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BD2D00_2_00007FFC682BD2D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829BB200_2_00007FFC6829BB20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BDB200_2_00007FFC682BDB20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F4B100_2_00007FFC682F4B10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C7B100_2_00007FFC682C7B10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C73100_2_00007FFC682C7310
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C9B700_2_00007FFC682C9B70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F93600_2_00007FFC682F9360
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682953500_2_00007FFC68295350
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A23B00_2_00007FFC682A23B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C93900_2_00007FFC682C9390
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F1B800_2_00007FFC682F1B80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B6BF00_2_00007FFC682B6BF0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B7BE00_2_00007FFC682B7BE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A83D00_2_00007FFC682A83D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BC3D00_2_00007FFC682BC3D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BEC300_2_00007FFC682BEC30
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68295C200_2_00007FFC68295C20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682CA4000_2_00007FFC682CA400
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C04500_2_00007FFC682C0450
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B1C400_2_00007FFC682B1C40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B8C400_2_00007FFC682B8C40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A54B00_2_00007FFC682A54B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A74A00_2_00007FFC682A74A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C2C800_2_00007FFC682C2C80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F84D00_2_00007FFC682F84D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DED200_2_00007FFC682DED20
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A3D600_2_00007FFC682A3D60
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B95B00_2_00007FFC682B95B0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829C5A00_2_00007FFC6829C5A0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F95800_2_00007FFC682F9580
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C45F00_2_00007FFC682C45F0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6829DDE00_2_00007FFC6829DDE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6830D6500_2_00007FFC6830D650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682916200_2_00007FFC68291620
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EFE100_2_00007FFC682EFE10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C26100_2_00007FFC682C2610
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68309E700_2_00007FFC68309E70
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE000_2_00007FFC682FCE00
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A66700_2_00007FFC682A6670
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A96600_2_00007FFC682A9660
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682EF6500_2_00007FFC682EF650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B26500_2_00007FFC682B2650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C06500_2_00007FFC682C0650
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F46400_2_00007FFC682F4640
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BF6400_2_00007FFC682BF640
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEB60_2_00007FFC682FCEB6
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEAD0_2_00007FFC682FCEAD
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCEA60_2_00007FFC682FCEA6
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE9D0_2_00007FFC682FCE9D
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE940_2_00007FFC682FCE94
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68296E900_2_00007FFC68296E90
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682FCE8B0_2_00007FFC682FCE8B
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682F6E800_2_00007FFC682F6E80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC68297E800_2_00007FFC68297E80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BBE800_2_00007FFC682BBE80
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C0EE00_2_00007FFC682C0EE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682E46D00_2_00007FFC682E46D0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC683036C00_2_00007FFC683036C0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682ACF300_2_00007FFC682ACF30
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682C17300_2_00007FFC682C1730
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B1F100_2_00007FFC682B1F10
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A87000_2_00007FFC682A8700
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AC7000_2_00007FFC682AC700
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682DDF400_2_00007FFC682DDF40
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682967900_2_00007FFC68296790
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682AD7800_2_00007FFC682AD780
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BDFE00_2_00007FFC682BDFE0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682BEFD00_2_00007FFC682BEFD0
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682910100_2_00007FFC68291010
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A08700_2_00007FFC682A0870
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682B18500_2_00007FFC682B1850
              Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC682A90500_2_00007FFC682A9050
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F910D013_2_00007FF679F910D0
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9394013_2_00007FF679F93940
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9D57413_2_00007FF679F9D574
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F92C6013_2_00007FF679F92C60
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9207013_2_00007FF679F92070
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9F29013_2_00007FF679F9F290
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9C6CC13_2_00007FF679F9C6CC
              Source: C:\Users\user\AppData\Local\DLKXiO\consent.exeCode function: 13_2_00007FF679F9ED3013_2_00007FF679F9ED30
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FF67A42142415_2_00007FF67A421424
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E31FE015_2_00007FFC67E31FE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4BF2015_2_00007FFC67E4BF20
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E27EA015_2_00007FFC67E27EA0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E4661015_2_00007FFC67E46610
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E145F015_2_00007FFC67E145F0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E3CC9015_2_00007FFC67E3CC90
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1A40015_2_00007FFC67E1A400
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1939015_2_00007FFC67E19390
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1431015_2_00007FFC67E14310
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2899015_2_00007FFC67E28990
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0619015_2_00007FFC67E06190
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1394015_2_00007FFC67E13940
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2B12015_2_00007FFC67E2B120
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF087015_2_00007FFC67DF0870
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0185015_2_00007FFC67E01850
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF905015_2_00007FFC67DF9050
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE101015_2_00007FFC67DE1010
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0DFE015_2_00007FFC67E0DFE0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E0EFD015_2_00007FFC67E0EFD0
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5A7BB15_2_00007FFC67E5A7BB
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFD78015_2_00007FFC67DFD780
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E5AF8115_2_00007FFC67E5AF81
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DE679015_2_00007FFC67DE6790
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E2DF4015_2_00007FFC67E2DF40
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67E1173015_2_00007FFC67E11730
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFCF3015_2_00007FFC67DFCF30
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DF870015_2_00007FFC67DF8700
              Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exeCode function: 15_2_00007FFC67DFC70015_2_00