Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GpUSRuIBHx

Overview

General Information

Sample Name:GpUSRuIBHx (renamed file extension from none to dll)
Analysis ID:595305
MD5:288c35481252c1212cbb764c490c2ad8
SHA1:9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
SHA256:cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • loaddll64.exe (PID: 852 cmdline: loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6932 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7012 cmdline: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • BackgroundTransferHost.exe (PID: 5856 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
        • FileHistory.exe (PID: 5804 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 6388 cmdline: C:\Users\user\AppData\Local\6f22a\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • rdpinput.exe (PID: 6940 cmdline: C:\Windows\system32\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • rdpinput.exe (PID: 6992 cmdline: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • SndVol.exe (PID: 6428 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 6436 cmdline: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SnippingTool.exe (PID: 7052 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • SnippingTool.exe (PID: 5480 cmdline: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • slui.exe (PID: 5012 cmdline: C:\Windows\system32\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • slui.exe (PID: 3852 cmdline: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • rdpinput.exe (PID: 4236 cmdline: C:\Windows\system32\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • rdpinput.exe (PID: 780 cmdline: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • printfilterpipelinesvc.exe (PID: 5112 cmdline: C:\Windows\system32\printfilterpipelinesvc.exe MD5: 4164BD4D8E23C672E40D203E4B4A38A7)
        • printfilterpipelinesvc.exe (PID: 4752 cmdline: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe MD5: 4164BD4D8E23C672E40D203E4B4A38A7)
        • Utilman.exe (PID: 1508 cmdline: C:\Windows\system32\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • Utilman.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • phoneactivate.exe (PID: 2912 cmdline: C:\Windows\system32\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)
        • phoneactivate.exe (PID: 5856 cmdline: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)
        • DmNotificationBroker.exe (PID: 6180 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • DmNotificationBroker.exe (PID: 6460 cmdline: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • ProximityUxHost.exe (PID: 6936 cmdline: C:\Windows\system32\ProximityUxHost.exe MD5: E7F0E9B3779E54CD271959C600A2A531)
        • ProximityUxHost.exe (PID: 6560 cmdline: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe MD5: E7F0E9B3779E54CD271959C600A2A531)
        • omadmclient.exe (PID: 244 cmdline: C:\Windows\system32\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)
    • rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5872 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 11 entries
            SourceRuleDescriptionAuthorStrings
            22.2.SndVol.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              3.2.rundll32.exe.7ff8ba5d0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                28.2.slui.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  25.2.SnippingTool.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    18.2.FileHistory.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 11 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6932, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, ProcessId: 7012
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3808, TargetFilename: C:\Users\user\AppData\Local\6f22a\FileHistory.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: GpUSRuIBHx.dllVirustotal: Detection: 70%Perma Link
                      Source: GpUSRuIBHx.dllMetadefender: Detection: 62%Perma Link
                      Source: GpUSRuIBHx.dllReversingLabs: Detection: 88%
                      Source: GpUSRuIBHx.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: GpUSRuIBHx.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllJoe Sandbox ML: detected
                      Source: GpUSRuIBHx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: Utilman.pdb source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdbGCTL source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdb source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62ED10 FindFirstFileExW,0_2_00007FF8BA62ED10
                      Source: explorer.exe, 00000004.00000000.411736058.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.390915909.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.355411214.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.439321830.00000000026D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobY
                      Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F37A8 OpenClipboard,GetLastError,25_2_00007FF70C3F37A8

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 22.2.SndVol.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.slui.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SnippingTool.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.FileHistory.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Utilman.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.DmNotificationBroker.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.printfilterpipelinesvc.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.ProximityUxHost.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.phoneactivate.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.746490737.00007FF8CA681000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372939527.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.581334481.00007FF8CA981000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.678112483.00007FF8BB381000.00000020.00000001.01000000.00000017.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.366331885.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.484522001.00007FF8CA981000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.470593131.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.512496248.00007FF8CA981000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.358622486.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.705952583.00007FF8BB381000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.646421042.00007FF8CA981000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6231500_2_00007FF8BA623150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6059F00_2_00007FF8BA6059F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60AA700_2_00007FF8BA60AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61CA500_2_00007FF8BA61CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61A2C00_2_00007FF8BA61A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6197D00_2_00007FF8BA6197D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6050200_2_00007FF8BA605020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F78800_2_00007FF8BA5F7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63D5200_2_00007FF8BA63D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62DDC00_2_00007FF8BA62DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6376500_2_00007FF8BA637650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6043600_2_00007FF8BA604360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F33400_2_00007FF8BA5F3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E83400_2_00007FF8BA5E8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA635B500_2_00007FF8BA635B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D53500_2_00007FF8BA5D5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5DBB200_2_00007FF8BA5DBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA601B300_2_00007FF8BA601B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6003000_2_00007FF8BA600300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FA3100_2_00007FF8BA5FA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E23F00_2_00007FF8BA5E23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA624BC00_2_00007FF8BA624BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6343900_2_00007FF8BA634390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D5C200_2_00007FF8BA5D5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E54200_2_00007FF8BA5E5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6394100_2_00007FF8BA639410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E74100_2_00007FF8BA5E7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4000_2_00007FF8BA63E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA603CF00_2_00007FF8BA603CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E3CD00_2_00007FF8BA5E3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA605CD00_2_00007FF8BA605CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4AD0_2_00007FF8BA63E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4B60_2_00007FF8BA63E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E49D0_2_00007FF8BA63E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA632CA00_2_00007FF8BA632CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4A60_2_00007FF8BA63E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E48B0_2_00007FF8BA63E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FAC800_2_00007FF8BA5FAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63A4900_2_00007FF8BA63A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4940_2_00007FF8BA63E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63B9600_2_00007FF8BA63B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F41400_2_00007FF8BA5F4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6369500_2_00007FF8BA636950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6061300_2_00007FF8BA606130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5DB1000_2_00007FF8BA5DB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE1100_2_00007FF8BA5EE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F39100_2_00007FF8BA5F3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6091F00_2_00007FF8BA6091F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6089F00_2_00007FF8BA6089F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FF1F00_2_00007FF8BA5FF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F69C00_2_00007FF8BA5F69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6021D00_2_00007FF8BA6021D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FE9A00_2_00007FF8BA5FE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE9B00_2_00007FF8BA5EE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F11B00_2_00007FF8BA5F11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D29800_2_00007FF8BA5D2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6099900_2_00007FF8BA609990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63B2600_2_00007FF8BA63B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D7A400_2_00007FF8BA5D7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60B2500_2_00007FF8BA60B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F82E00_2_00007FF8BA5F82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA637AF00_2_00007FF8BA637AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60BAE00_2_00007FF8BA60BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA632AE00_2_00007FF8BA632AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F92C00_2_00007FF8BA5F92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62F2C00_2_00007FF8BA62F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FDAA00_2_00007FF8BA5FDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6382A00_2_00007FF8BA6382A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63AAA00_2_00007FF8BA63AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6307700_2_00007FF8BA630770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE7700_2_00007FF8BA5EE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6357600_2_00007FF8BA635760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F2F500_2_00007FF8BA5F2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA630F300_2_00007FF8BA630F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F872B0_2_00007FF8BA5F872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F6FE00_2_00007FF8BA5F6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA644FF00_2_00007FF8BA644FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E8FC00_2_00007FF8BA5E8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EA7D00_2_00007FF8BA5EA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FE7B00_2_00007FF8BA5FE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA64B7A00_2_00007FF8BA64B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D67900_2_00007FF8BA5D6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63C7800_2_00007FF8BA63C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA64EF800_2_00007FF8BA64EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60F8700_2_00007FF8BA60F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61F8700_2_00007FF8BA61F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F50500_2_00007FF8BA5F5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6258400_2_00007FF8BA625840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6000200_2_00007FF8BA600020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FC0300_2_00007FF8BA5FC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F48000_2_00007FF8BA5F4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D10100_2_00007FF8BA5D1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D18D00_2_00007FF8BA5D18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E08B00_2_00007FF8BA5E08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5ED8900_2_00007FF8BA5ED890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E9D700_2_00007FF8BA5E9D70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B5CD018_2_00007FF8CA9B5CD0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9CA2C018_2_00007FF8CA9CA2C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BAA7018_2_00007FF8CA9BAA70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9CCA5018_2_00007FF8CA9CCA50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B502018_2_00007FF8CA9B5020
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9DDDC018_2_00007FF8CA9DDDC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E439018_2_00007FF8CA9E4390
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9923F018_2_00007FF8CA9923F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D4BC018_2_00007FF8CA9D4BC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98BB2018_2_00007FF8CA98BB20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B1B3018_2_00007FF8CA9B1B30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B030018_2_00007FF8CA9B0300
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AA31018_2_00007FF8CA9AA310
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B436018_2_00007FF8CA9B4360
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A334018_2_00007FF8CA9A3340
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99834018_2_00007FF8CA998340
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E5B5018_2_00007FF8CA9E5B50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98535018_2_00007FF8CA985350
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E2CA018_2_00007FF8CA9E2CA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AAC8018_2_00007FF8CA9AAC80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B3CF018_2_00007FF8CA9B3CF0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA993CD018_2_00007FF8CA993CD0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99542018_2_00007FF8CA995420
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA985C2018_2_00007FF8CA985C20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EE40018_2_00007FF8CA9EE400
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99741018_2_00007FF8CA997410
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E941018_2_00007FF8CA9E9410
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AE9A018_2_00007FF8CA9AE9A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E9B018_2_00007FF8CA99E9B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A11B018_2_00007FF8CA9A11B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98298018_2_00007FF8CA982980
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B999018_2_00007FF8CA9B9990
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B59F018_2_00007FF8CA9B59F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AF1F018_2_00007FF8CA9AF1F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B91F018_2_00007FF8CA9B91F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B89F018_2_00007FF8CA9B89F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A69C018_2_00007FF8CA9A69C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B21D018_2_00007FF8CA9B21D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B613018_2_00007FF8CA9B6130
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98B10018_2_00007FF8CA98B100
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E11018_2_00007FF8CA99E110
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A391018_2_00007FF8CA9A3910
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EB96018_2_00007FF8CA9EB960
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A414018_2_00007FF8CA9A4140
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D315018_2_00007FF8CA9D3150
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E695018_2_00007FF8CA9E6950
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9ADAA018_2_00007FF8CA9ADAA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E82A018_2_00007FF8CA9E82A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EAAA018_2_00007FF8CA9EAAA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A82E018_2_00007FF8CA9A82E0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BBAE018_2_00007FF8CA9BBAE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E2AE018_2_00007FF8CA9E2AE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A92C018_2_00007FF8CA9A92C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9DF2C018_2_00007FF8CA9DF2C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EB26018_2_00007FF8CA9EB260
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA987A4018_2_00007FF8CA987A40
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BB25018_2_00007FF8CA9BB250
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9FB7A018_2_00007FF8CA9FB7A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AE7B018_2_00007FF8CA9AE7B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9FEF8018_2_00007FF8CA9FEF80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98679018_2_00007FF8CA986790
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A6FE018_2_00007FF8CA9A6FE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9F4FF018_2_00007FF8CA9F4FF0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA998FC018_2_00007FF8CA998FC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99A7D018_2_00007FF8CA99A7D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9C97D018_2_00007FF8CA9C97D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E0F3018_2_00007FF8CA9E0F30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A872B18_2_00007FF8CA9A872B
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E576018_2_00007FF8CA9E5760
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E77018_2_00007FF8CA99E770
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E077018_2_00007FF8CA9E0770
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A2F5018_2_00007FF8CA9A2F50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9908B018_2_00007FF8CA9908B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A788018_2_00007FF8CA9A7880
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99D89018_2_00007FF8CA99D890
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9818D018_2_00007FF8CA9818D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B002018_2_00007FF8CA9B0020
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AC03018_2_00007FF8CA9AC030
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A480018_2_00007FF8CA9A4800
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98101018_2_00007FF8CA981010
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BF87018_2_00007FF8CA9BF870
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D584018_2_00007FF8CA9D5840
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A505018_2_00007FF8CA9A5050
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98C5A018_2_00007FF8CA98C5A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9965E018_2_00007FF8CA9965E0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9995C018_2_00007FF8CA9995C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B25C018_2_00007FF8CA9B25C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9ED52018_2_00007FF8CA9ED520
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B1D3018_2_00007FF8CA9B1D30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B0D1018_2_00007FF8CA9B0D10
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA999D7018_2_00007FF8CA999D70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A3D5018_2_00007FF8CA9A3D50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AD55018_2_00007FF8CA9AD550
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B06A018_2_00007FF8CA9B06A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AF6B018_2_00007FF8CA9AF6B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA987E8018_2_00007FF8CA987E80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA986E9018_2_00007FF8CA986E90
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E7EC018_2_00007FF8CA9E7EC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98DE2018_2_00007FF8CA98DE20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98162018_2_00007FF8CA981620
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A361018_2_00007FF8CA9A3610
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B2E1018_2_00007FF8CA9B2E10
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99867018_2_00007FF8CA998670
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D065018_2_00007FF8CA9D0650
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E765018_2_00007FF8CA9E7650
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA3BE020_2_00007FF7BADA3BE0
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA257820_2_00007FF7BADA2578
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADAFD4820_2_00007FF7BADAFD48
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB831022_2_00007FF6C1BB8310
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC4F1022_2_00007FF6C1BC4F10
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC371822_2_00007FF6C1BC3718
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB621822_2_00007FF6C1BB6218
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA5C822_2_00007FF6C1BBA5C8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA1A022_2_00007FF6C1BBA1A0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB351422_2_00007FF6C1BB3514
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCC4D022_2_00007FF6C1BCC4D0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB44E822_2_00007FF6C1BB44E8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB308022_2_00007FF6C1BB3080
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCB08822_2_00007FF6C1BCB088
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC0CA822_2_00007FF6C1BC0CA8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC2BD822_2_00007FF6C1BC2BD8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC03A022_2_00007FF6C1BC03A0
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F997825_2_00007FF70C3F9978
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F8D5025_2_00007FF70C3F8D50
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F29F425_2_00007FF70C3F29F4
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F160025_2_00007FF70C3F1600
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40459825_2_00007FF70C404598
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C4039A825_2_00007FF70C4039A8
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C408A6425_2_00007FF70C408A64
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FAE8025_2_00007FF70C3FAE80
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F5EBC25_2_00007FF70C3F5EBC
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F1F6025_2_00007FF70C3F1F60
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F933825_2_00007FF70C3F9338
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40EF3825_2_00007FF70C40EF38
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40900825_2_00007FF70C409008
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C405FF825_2_00007FF70C405FF8
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FEB9825_2_00007FF70C3FEB98
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40F3CC25_2_00007FF70C40F3CC
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40C47025_2_00007FF70C40C470
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C41EC8025_2_00007FF70C41EC80
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F250C25_2_00007FF70C3F250C
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F58C025_2_00007FF70C3F58C0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F231D028_2_00007FF6A3F231D0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F21A8028_2_00007FF6A3F21A80
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F242A028_2_00007FF6A3F242A0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F246C028_2_00007FF6A3F246C0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F256F428_2_00007FF6A3F256F4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F262F428_2_00007FF6A3F262F4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F4212828_2_00007FF6A3F42128
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: String function: 00007FF70C411454 appears 227 times
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA617770 NtClose,0_2_00007FF8BA617770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63D520 NtQuerySystemInformation,RtlAllocateHeap,0_2_00007FF8BA63D520
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,18_2_00007FF8CA9B5CD0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9C7770 NtClose,18_2_00007FF8CA9C7770
                      Source: DmNotificationBroker.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\Fjrn\rdpinput.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\D6R1uM\Utilman.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeSection loaded: kernel34.dll
                      Source: dwmapi.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUser.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WMsgAPI.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: OLEACC.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WTSAPI32.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll1.4.drStatic PE information: Number of sections : 61 > 10
                      Source: GpUSRuIBHx.dllStatic PE information: Number of sections : 60 > 10
                      Source: WINSTA.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: OLEACC.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: UxTheme.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: GpUSRuIBHx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WMsgAPI.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OLEACC.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dwmapi.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OLEACC.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WINSTA.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUser.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll1.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: GpUSRuIBHx.dllVirustotal: Detection: 70%
                      Source: GpUSRuIBHx.dllMetadefender: Detection: 62%
                      Source: GpUSRuIBHx.dllReversingLabs: Detection: 88%
                      Source: GpUSRuIBHx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@ZJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@ZJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@64/31@1/0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB9E34 CoCreateInstance,CoAllowSetForegroundWindow,22_2_00007FF6C1BB9E34
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA4B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep,20_2_00007FF7BADA4B74
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeMutant created: \Sessions\1\BaseNamedObjects\{b9037130-7713-b8d0-facf-7e79439c554a}
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeMutant created: \Sessions\1\BaseNamedObjects\{3981d798-39a4-108d-0c6e-24ba6fae0222}
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB8E7C LoadResource,LockResource,SizeofResource,22_2_00007FF6C1BB8E7C
                      Source: GpUSRuIBHx.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: GpUSRuIBHx.dllStatic file information: File size 1368064 > 1048576
                      Source: GpUSRuIBHx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: slui.pdb source