Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GpUSRuIBHx

Overview

General Information

Sample Name:GpUSRuIBHx (renamed file extension from none to dll)
Analysis ID:595305
MD5:288c35481252c1212cbb764c490c2ad8
SHA1:9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
SHA256:cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 852 cmdline: loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6932 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7012 cmdline: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7036 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • BackgroundTransferHost.exe (PID: 5856 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
        • FileHistory.exe (PID: 5804 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 6388 cmdline: C:\Users\user\AppData\Local\6f22a\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • rdpinput.exe (PID: 6940 cmdline: C:\Windows\system32\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • rdpinput.exe (PID: 6992 cmdline: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • SndVol.exe (PID: 6428 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 6436 cmdline: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SnippingTool.exe (PID: 7052 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • SnippingTool.exe (PID: 5480 cmdline: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
        • slui.exe (PID: 5012 cmdline: C:\Windows\system32\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • slui.exe (PID: 3852 cmdline: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe MD5: 96A8EF9387619D17BB30B024DDF52BF3)
        • rdpinput.exe (PID: 4236 cmdline: C:\Windows\system32\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • rdpinput.exe (PID: 780 cmdline: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe MD5: 4403785D297C55D5DF26176B4F1A52C8)
        • printfilterpipelinesvc.exe (PID: 5112 cmdline: C:\Windows\system32\printfilterpipelinesvc.exe MD5: 4164BD4D8E23C672E40D203E4B4A38A7)
        • printfilterpipelinesvc.exe (PID: 4752 cmdline: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe MD5: 4164BD4D8E23C672E40D203E4B4A38A7)
        • Utilman.exe (PID: 1508 cmdline: C:\Windows\system32\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • Utilman.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe MD5: C91CCEF3884CFDE746B4BAEF5F1BC75C)
        • phoneactivate.exe (PID: 2912 cmdline: C:\Windows\system32\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)
        • phoneactivate.exe (PID: 5856 cmdline: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)
        • DmNotificationBroker.exe (PID: 6180 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • DmNotificationBroker.exe (PID: 6460 cmdline: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • ProximityUxHost.exe (PID: 6936 cmdline: C:\Windows\system32\ProximityUxHost.exe MD5: E7F0E9B3779E54CD271959C600A2A531)
        • ProximityUxHost.exe (PID: 6560 cmdline: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe MD5: E7F0E9B3779E54CD271959C600A2A531)
        • omadmclient.exe (PID: 244 cmdline: C:\Windows\system32\omadmclient.exe MD5: AD7C6CD7A8EEC95808AA77C5D7987941)
    • rundll32.exe (PID: 6764 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5872 cmdline: rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            22.2.SndVol.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              3.2.rundll32.exe.7ff8ba5d0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                28.2.slui.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  25.2.SnippingTool.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    18.2.FileHistory.exe.7ff8ca980000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 11 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6932, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1, ProcessId: 7012
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3808, TargetFilename: C:\Users\user\AppData\Local\6f22a\FileHistory.exe

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: GpUSRuIBHx.dllVirustotal: Detection: 70%Perma Link
                      Source: GpUSRuIBHx.dllMetadefender: Detection: 62%Perma Link
                      Source: GpUSRuIBHx.dllReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sample
                      Source: GpUSRuIBHx.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Machine Learning detection for sample
                      Source: GpUSRuIBHx.dllJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\D6R1uM\DUser.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\CSYG\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Fjrn\WINSTA.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\6f22a\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\LoReH\OLEACC.dllJoe Sandbox ML: detected
                      Source: GpUSRuIBHx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: Utilman.pdb source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdbGCTL source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdb source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62ED10 FindFirstFileExW,
                      Source: explorer.exe, 00000004.00000000.411736058.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.390915909.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.355411214.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.439321830.00000000026D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobY
                      Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F37A8 OpenClipboard,GetLastError,

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 22.2.SndVol.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.slui.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.SnippingTool.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.FileHistory.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.2.Utilman.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 30.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 38.2.DmNotificationBroker.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rdpinput.exe.7ff8ca980000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ff8ba5d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.printfilterpipelinesvc.exe.7ff8bb380000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.ProximityUxHost.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.phoneactivate.exe.7ff8ca680000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.746490737.00007FF8CA681000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.372939527.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.581334481.00007FF8CA981000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.678112483.00007FF8BB381000.00000020.00000001.01000000.00000017.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.366331885.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.484522001.00007FF8CA981000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.470593131.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.512496248.00007FF8CA981000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.358622486.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.705952583.00007FF8BB381000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.646421042.00007FF8CA981000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA623150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6059F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6197D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA605020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA637650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA604360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA635B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5DBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA601B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA600300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA624BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA634390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA639410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA603CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA605CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA632CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA636950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA606130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5DB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6091F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6089F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6021D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA609990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA637AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA632AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6382A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA630770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA635760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA630F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA644FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5EA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA64B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA64EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA60F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA61F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA625840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA600020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5FC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5F4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5D18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5ED890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA5E9D70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B5CD0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9CA2C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BAA70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9CCA50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B5020
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9DDDC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E4390
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9923F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D4BC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98BB20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B1B30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B0300
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AA310
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B4360
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A3340
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA998340
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E5B50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA985350
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E2CA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AAC80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B3CF0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA993CD0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA995420
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA985C20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EE400
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA997410
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E9410
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AE9A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E9B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A11B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA982980
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B9990
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B59F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AF1F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B91F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B89F0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A69C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B21D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B6130
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98B100
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E110
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A3910
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EB960
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A4140
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D3150
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E6950
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9ADAA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E82A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EAAA0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A82E0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BBAE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E2AE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A92C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9DF2C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9EB260
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA987A40
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BB250
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9FB7A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AE7B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9FEF80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA986790
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A6FE0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9F4FF0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA998FC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99A7D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9C97D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E0F30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A872B
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E5760
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99E770
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E0770
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A2F50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9908B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A7880
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA99D890
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9818D0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B0020
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AC030
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A4800
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA981010
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9BF870
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D5840
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A5050
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98C5A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9965E0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9995C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B25C0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9ED520
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B1D30
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B0D10
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA999D70
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A3D50
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AD550
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B06A0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9AF6B0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA987E80
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA986E90
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E7EC0
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA98DE20
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA981620
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9A3610
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B2E10
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA998670
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9D0650
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9E7650
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA3BE0
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA2578
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADAFD48
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB8310
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC4F10
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC3718
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB6218
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA5C8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA1A0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB3514
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCC4D0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB44E8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB3080
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCB088
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC0CA8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC2BD8
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BC03A0
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F9978
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F8D50
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F29F4
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F1600
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C404598
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C4039A8
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C408A64
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FAE80
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F5EBC
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F1F60
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F9338
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40EF38
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C409008
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C405FF8
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FEB98
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40F3CC
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C40C470
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C41EC80
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F250C
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F58C0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F231D0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F21A80
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F242A0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F246C0
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F256F4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F262F4
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F42128
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: String function: 00007FF70C411454 appears 227 times
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA617770 NtClose,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA63D520 NtQuerySystemInformation,RtlAllocateHeap,
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9B5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF8CA9C7770 NtClose,
                      Source: DmNotificationBroker.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: consent.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SnippingTool.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: slui.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\Fjrn\rdpinput.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\D6R1uM\Utilman.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeSection loaded: kernel34.dll
                      Source: dwmapi.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUser.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WTSAPI32.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WMsgAPI.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: OLEACC.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: WTSAPI32.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll1.4.drStatic PE information: Number of sections : 61 > 10
                      Source: GpUSRuIBHx.dllStatic PE information: Number of sections : 60 > 10
                      Source: WINSTA.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: OLEACC.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: UxTheme.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: GpUSRuIBHx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WMsgAPI.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OLEACC.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dwmapi.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OLEACC.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WINSTA.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUser.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll1.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: GpUSRuIBHx.dllVirustotal: Detection: 70%
                      Source: GpUSRuIBHx.dllMetadefender: Detection: 62%
                      Source: GpUSRuIBHx.dllReversingLabs: Detection: 88%
                      Source: GpUSRuIBHx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\6f22a\FileHistory.exe C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exe C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exe C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exe C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rdpinput.exe C:\Windows\system32\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exe C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\printfilterpipelinesvc.exe C:\Windows\system32\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Utilman.exe C:\Windows\system32\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exe C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\ProximityUxHost.exe C:\Windows\system32\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\omadmclient.exe C:\Windows\system32\omadmclient.exe
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9aJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@64/31@1/0
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB9E34 CoCreateInstance,CoAllowSetForegroundWindow,
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA4B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep,
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeMutant created: \Sessions\1\BaseNamedObjects\{b9037130-7713-b8d0-facf-7e79439c554a}
                      Source: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeMutant created: \Sessions\1\BaseNamedObjects\{3981d798-39a4-108d-0c6e-24ba6fae0222}
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB8E7C LoadResource,LockResource,SizeofResource,
                      Source: GpUSRuIBHx.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: GpUSRuIBHx.dllStatic file information: File size 1368064 > 1048576
                      Source: GpUSRuIBHx.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: rdpinput.pdbGCTL source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: Utilman.pdb source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: ProximityUxHost.pdbGCTL source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdbGCTL source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000026.00000000.760434884.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp, DmNotificationBroker.exe, 00000026.00000002.790979828.00007FF7BFEF5000.00000002.00000001.01000000.0000001D.sdmp
                      Source: Binary string: phoneactivate.pdb source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000019.00000002.579595026.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp, SnippingTool.exe, 00000019.00000000.550318199.00007FF70C420000.00000002.00000001.01000000.0000000F.sdmp
                      Source: Binary string: PrintFilterPipelineSvc.pdb source: printfilterpipelinesvc.exe, 00000020.00000000.654903742.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp, printfilterpipelinesvc.exe, 00000020.00000002.677939240.00007FF6B41A7000.00000002.00000001.01000000.00000016.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: rdpinput.pdb source: rdpinput.exe, 00000014.00000000.489595034.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 00000014.00000002.512462840.00007FF7BADC3000.00000002.00000001.01000000.0000000B.sdmp, rdpinput.exe, 0000001E.00000000.622861932.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp, rdpinput.exe, 0000001E.00000002.646379506.00007FF64DBA3000.00000002.00000001.01000000.00000014.sdmp
                      Source: Binary string: Utilman.pdbGCTL source: Utilman.exe, 00000022.00000000.683097194.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp, Utilman.exe, 00000022.00000002.705894496.00007FF7C58C0000.00000002.00000001.01000000.00000018.sdmp
                      Source: Binary string: phoneactivate.pdbGCTL source: phoneactivate.exe, 00000024.00000000.718318485.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp, phoneactivate.exe, 00000024.00000002.746413133.00007FF7F2EC0000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.587339760.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp, slui.exe, 0000001C.00000002.616193744.00007FF6A3F4C000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: ProximityUxHost.pdb source: ProximityUxHost.exe, 00000028.00000002.836601819.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp, ProximityUxHost.exe, 00000028.00000000.805041652.00007FF777332000.00000002.00000001.01000000.0000001F.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 00000012.00000000.478980793.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp, FileHistory.exe, 00000012.00000002.484212875.00007FF6D0A39000.00000002.00000001.01000000.00000007.sdmp
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA5E92 push rcx; ret
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vxl
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .qwubgr
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .eer
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .xwwauf
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .pkc
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .npkda
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vhs
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .iaywj
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .nasi
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .zhvprh
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .yatdsp
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .njso
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .lgliat
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ntqjh
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .sucsek
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .qsxjui
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .twctcm
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .nms
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ogj
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vrkgb
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .gikfw
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ktl
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .crcn
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .wtfr
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .hep
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ywg
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .sqsp
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .gzb
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .fatlss
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .plqa
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vzt
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .dsbyd
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .cdelc
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .qkhkj
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .mnzegr
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .krw
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .jvsmn
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .bygpq
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .kzdbu
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .mwxorn
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .raf
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .zcyw
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .zeczh
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .pvv
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .lug
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ski
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .japjd
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .mwtzml
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vgssf
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .gsroye
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .vcmr
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .kvjqnl
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .ikzlp
                      Source: GpUSRuIBHx.dllStatic PE information: section name: .adsxi
                      Source: FileHistory.exe.4.drStatic PE information: section name: .nep
                      Source: ProximityUxHost.exe.4.drStatic PE information: section name: .imrsiv
                      Source: omadmclient.exe.4.drStatic PE information: section name: .didat
                      Source: consent.exe.4.drStatic PE information: section name: .didat
                      Source: consent.exe.4.drStatic PE information: section name: consent
                      Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
                      Source: SndVol.exe.4.drStatic PE information: section name: .didat
                      Source: Utilman.exe.4.drStatic PE information: section name: .imrsiv
                      Source: phoneactivate.exe.4.drStatic PE information: section name: .imrsiv
                      Source: DmNotificationBroker.exe.4.drStatic PE information: section name: .imrsiv
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .eer
                      Source: XmlLite.dll.4.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll.4.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .njso
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll.4.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nms
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .hep
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll.4.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll.4.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .krw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll.4.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .raf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lug
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ski
                      Source: XmlLite.dll.4.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gsroye
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vcmr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ikzlp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .adsxi
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gzc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vxl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qwubgr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .eer
                      Source: UxTheme.dll.4.drStatic PE information: section name: .xwwauf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pkc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .npkda
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vhs
                      Source: UxTheme.dll.4.drStatic PE information: section name: .iaywj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nasi
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zhvprh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .yatdsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .njso
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lgliat
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ntqjh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sucsek
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qsxjui
                      Source: UxTheme.dll.4.drStatic PE information: section name: .twctcm
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nms
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ogj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vrkgb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gikfw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ktl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .crcn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .wtfr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .hep
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ywg
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sqsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gzb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .fatlss
                      Source: UxTheme.dll.4.drStatic PE information: section name: .plqa
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vzt
                      Source: UxTheme.dll.4.drStatic PE information: section name: .dsbyd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .cdelc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qkhkj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mnzegr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .krw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .jvsmn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .bygpq
                      Source: UxTheme.dll.4.drStatic PE information: section name: .kzdbu
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwxorn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .raf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zcyw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zeczh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pvv
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lug
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ski
                      Source: UxTheme.dll.4.drStatic PE information: section name: .japjd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwtzml
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vgssf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gsroye
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vcmr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ikzlp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .adsxi
                      Source: UxTheme.dll.4.drStatic PE information: section name: .rem
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vxl
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .qwubgr
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .eer
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .xwwauf
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .pkc
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .npkda
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vhs
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .iaywj
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .nasi
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .zhvprh
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .yatdsp
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .njso
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .lgliat
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ntqjh
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .sucsek
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .qsxjui
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .twctcm
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .nms
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ogj
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vrkgb
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .gikfw
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ktl
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .crcn
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .wtfr
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .hep
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ywg
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .sqsp
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .gzb
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .fatlss
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .plqa
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vzt
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .dsbyd
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .cdelc
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .qkhkj
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .mnzegr
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .krw
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .jvsmn
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .bygpq
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .kzdbu
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .mwxorn
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .raf
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .zcyw
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .zeczh
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .pvv
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .lug
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ski
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .japjd
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .mwtzml
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vgssf
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .gsroye
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .vcmr
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .ikzlp
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .adsxi
                      Source: WMsgAPI.dll.4.drStatic PE information: section name: .fpxo
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vxl
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qwubgr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .eer
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .xwwauf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .pkc
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .npkda
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vhs
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .iaywj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .nasi
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zhvprh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .yatdsp
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .njso
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .lgliat
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ntqjh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .sucsek
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qsxjui
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .twctcm
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .nms
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ogj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vrkgb
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gikfw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ktl
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .crcn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .wtfr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .hep
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ywg
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .sqsp
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gzb
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .fatlss
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .plqa
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vzt
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .dsbyd
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .cdelc
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .qkhkj
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mnzegr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .krw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .jvsmn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .bygpq
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .kzdbu
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mwxorn
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .raf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zcyw
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .zeczh
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .pvv
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .lug
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ski
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .japjd
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .mwtzml
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vgssf
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .gsroye
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .vcmr
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .ikzlp
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .adsxi
                      Source: WTSAPI32.dll.4.drStatic PE information: section name: .wrttic
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vxl
                      Source: OLEACC.dll.4.drStatic PE information: section name: .qwubgr
                      Source: OLEACC.dll.4.drStatic PE information: section name: .eer
                      Source: OLEACC.dll.4.drStatic PE information: section name: .xwwauf
                      Source: OLEACC.dll.4.drStatic PE information: section name: .pkc
                      Source: OLEACC.dll.4.drStatic PE information: section name: .npkda
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vhs
                      Source: OLEACC.dll.4.drStatic PE information: section name: .iaywj
                      Source: OLEACC.dll.4.drStatic PE information: section name: .nasi
                      Source: OLEACC.dll.4.drStatic PE information: section name: .zhvprh
                      Source: OLEACC.dll.4.drStatic PE information: section name: .yatdsp
                      Source: OLEACC.dll.4.drStatic PE information: section name: .njso
                      Source: OLEACC.dll.4.drStatic PE information: section name: .lgliat
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ntqjh
                      Source: OLEACC.dll.4.drStatic PE information: section name: .sucsek
                      Source: OLEACC.dll.4.drStatic PE information: section name: .qsxjui
                      Source: OLEACC.dll.4.drStatic PE information: section name: .twctcm
                      Source: OLEACC.dll.4.drStatic PE information: section name: .nms
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ogj
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vrkgb
                      Source: OLEACC.dll.4.drStatic PE information: section name: .gikfw
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ktl
                      Source: OLEACC.dll.4.drStatic PE information: section name: .crcn
                      Source: OLEACC.dll.4.drStatic PE information: section name: .wtfr
                      Source: OLEACC.dll.4.drStatic PE information: section name: .hep
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ywg
                      Source: OLEACC.dll.4.drStatic PE information: section name: .sqsp
                      Source: OLEACC.dll.4.drStatic PE information: section name: .gzb
                      Source: OLEACC.dll.4.drStatic PE information: section name: .fatlss
                      Source: OLEACC.dll.4.drStatic PE information: section name: .plqa
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vzt
                      Source: OLEACC.dll.4.drStatic PE information: section name: .dsbyd
                      Source: OLEACC.dll.4.drStatic PE information: section name: .cdelc
                      Source: OLEACC.dll.4.drStatic PE information: section name: .qkhkj
                      Source: OLEACC.dll.4.drStatic PE information: section name: .mnzegr
                      Source: OLEACC.dll.4.drStatic PE information: section name: .krw
                      Source: OLEACC.dll.4.drStatic PE information: section name: .jvsmn
                      Source: OLEACC.dll.4.drStatic PE information: section name: .bygpq
                      Source: OLEACC.dll.4.drStatic PE information: section name: .kzdbu
                      Source: OLEACC.dll.4.drStatic PE information: section name: .mwxorn
                      Source: OLEACC.dll.4.drStatic PE information: section name: .raf
                      Source: OLEACC.dll.4.drStatic PE information: section name: .zcyw
                      Source: OLEACC.dll.4.drStatic PE information: section name: .zeczh
                      Source: OLEACC.dll.4.drStatic PE information: section name: .pvv
                      Source: OLEACC.dll.4.drStatic PE information: section name: .lug
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ski
                      Source: OLEACC.dll.4.drStatic PE information: section name: .japjd
                      Source: OLEACC.dll.4.drStatic PE information: section name: .mwtzml
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vgssf
                      Source: OLEACC.dll.4.drStatic PE information: section name: .gsroye
                      Source: OLEACC.dll.4.drStatic PE information: section name: .vcmr
                      Source: OLEACC.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: OLEACC.dll.4.drStatic PE information: section name: .ikzlp
                      Source: OLEACC.dll.4.drStatic PE information: section name: .adsxi
                      Source: OLEACC.dll.4.drStatic PE information: section name: .pvfxo
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vxl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qwubgr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .eer
                      Source: dwmapi.dll.4.drStatic PE information: section name: .xwwauf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pkc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .npkda
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vhs
                      Source: dwmapi.dll.4.drStatic PE information: section name: .iaywj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nasi
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zhvprh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .yatdsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .njso
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lgliat
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ntqjh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sucsek
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qsxjui
                      Source: dwmapi.dll.4.drStatic PE information: section name: .twctcm
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nms
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ogj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vrkgb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gikfw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ktl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .crcn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .wtfr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .hep
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ywg
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sqsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gzb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .fatlss
                      Source: dwmapi.dll.4.drStatic PE information: section name: .plqa
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vzt
                      Source: dwmapi.dll.4.drStatic PE information: section name: .dsbyd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .cdelc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qkhkj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mnzegr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .krw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .jvsmn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .bygpq
                      Source: dwmapi.dll.4.drStatic PE information: section name: .kzdbu
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwxorn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .raf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zcyw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zeczh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pvv
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lug
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ski
                      Source: dwmapi.dll.4.drStatic PE information: section name: .japjd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwtzml
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vgssf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gsroye
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vcmr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ikzlp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .adsxi
                      Source: dwmapi.dll.4.drStatic PE information: section name: .fanrx
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vxl
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .qwubgr
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .eer
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .xwwauf
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .pkc
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .npkda
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vhs
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .iaywj
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .nasi
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .zhvprh
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .yatdsp
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .njso
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .lgliat
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ntqjh
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .sucsek
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .qsxjui
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .twctcm
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .nms
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ogj
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vrkgb
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .gikfw
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ktl
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .crcn
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .wtfr
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .hep
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ywg
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .sqsp
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .gzb
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .fatlss
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .plqa
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vzt
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .dsbyd
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .cdelc
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .qkhkj
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .mnzegr
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .krw
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .jvsmn
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .bygpq
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .kzdbu
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .mwxorn
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .raf
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .zcyw
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .zeczh
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .pvv
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .lug
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ski
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .japjd
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .mwtzml
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vgssf
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .gsroye
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .vcmr
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .kvjqnl
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .ikzlp
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .adsxi
                      Source: OLEACC.dll0.4.drStatic PE information: section name: .rqsht
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vxl
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .qwubgr
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .eer
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .xwwauf
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .pkc
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .npkda
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vhs
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .iaywj
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .nasi
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .zhvprh
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .yatdsp
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .njso
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .lgliat
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .ntqjh
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .sucsek
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .qsxjui
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .twctcm
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .nms
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .ogj
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vrkgb
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .gikfw
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .ktl
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .crcn
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .wtfr
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .hep
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .ywg
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .sqsp
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .gzb
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .fatlss
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .plqa
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vzt
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .dsbyd
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .cdelc
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .qkhkj
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .mnzegr
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .krw
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .jvsmn
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .bygpq
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .kzdbu
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .mwxorn
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .raf
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .zcyw
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .zeczh
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .pvv
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .lug
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .ski
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .japjd
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .mwtzml
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vgssf
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .gsroye
                      Source: WTSAPI32.dll0.4.drStatic PE information: section name: .vcmr
                      Source: FileHistory.exe.4.drStatic PE information: 0xFAD0FCA2 [Mon May 7 16:56:02 2103 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fjrn\WINSTA.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\D6R1uM\Utilman.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\l5T\omadmclient.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\G6gv6e\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oOQGGow\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Kyz7D\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Ui9PsZ9\OLEACC.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\l5T\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\6f22a\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Fjrn\rdpinput.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\G6gv6e\AtBroker.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\rDAhA\consent.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\LoReH\OLEACC.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\op5PCy\phoneactivate.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bTcR2e\dwmapi.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\op5PCy\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\D6R1uM\DUser.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\CSYG\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\6f22a\FileHistory.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADA4B74 OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FDE78 IsWindowVisible,ShowWindow,IsZoomed,ShowWindow,SendMessageW,SendMessageW,IsIconic,OpenIcon,IsWindowVisible,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F7800 FindWindowW,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,IsIconic,OpenIcon,SetForegroundWindow,GetLastError,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FF79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3FF79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C3F3078 IsWindowVisible,IsIconic,DwmGetWindowAttribute,
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADB3F94 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exe TID: 5312Thread sleep count: 82 > 30
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Fjrn\rdpinput.exeLast function: Thread delayed
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\G6gv6e\AtBroker.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\rDAhA\consent.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeAPI coverage: 1.1 %
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeAPI coverage: 0.3 %
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeAPI coverage: 0.4 %
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeAPI coverage: 1.7 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62DDC0 GetSystemInfo,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA62ED10 FindFirstFileExW,
                      Source: explorer.exe, 00000004.00000000.363965361.0000000006389000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
                      Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.357470448.0000000004150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
                      Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
                      Source: explorer.exe, 00000004.00000000.399765153.0000000007D2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000004.00000000.399448372.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00Iy
                      Source: explorer.exe, 00000004.00000000.396224901.0000000006243000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
                      Source: explorer.exe, 00000004.00000000.399635685.0000000007CC2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB21D0 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BB2F20 GetCurrentThreadId,GetProcessHeap,HeapAlloc,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA6197D0 LdrLoadDll,FindClose,
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF6D0A37570 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF6D0A377EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADC2610 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADC292C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCF2E0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BCEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\LoReH\SnippingTool.exeCode function: 25_2_00007FF70C41DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F3D918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: FileHistory.exe.4.drJump to dropped file
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBF4EFE0 protect: page execute and read and write
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBF4E000 protect: page execute read
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF8D94B2A20 protect: page execute and read and write
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
                      Contains functionality to automate explorer (e.g. start an application)
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: 22_2_00007FF6C1BBA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
                      Uses Atom Bombing / ProGate to inject into other processes
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                      Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerG
                      Source: explorer.exe, 00000004.00000000.427164011.0000000007C08000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.362144319.0000000005920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: SndVol.exe, 00000016.00000000.518686092.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmp, SndVol.exe, 00000016.00000002.541746435.00007FF6C1BD2000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.354953179.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.411444736.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.390762806.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000004.00000000.390164378.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.354278692.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.410505751.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanPV*
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeQueries volume information: C:\Users\user\AppData\Local\6f22a\FileHistory.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\bTcR2e\SndVol.exeCode function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\6f22a\FileHistory.exeCode function: 18_2_00007FF6D0A37704 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\Kyz7D\rdpinput.exeCode function: 20_2_00007FF7BADBD63C GetVersionExW,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FF8BA619400 GetUserNameW,
                      Source: C:\Users\user\AppData\Local\2Yf2pw501\slui.exeCode function: 28_2_00007FF6A3F27390 CreateBindCtx,StringFromGUID2,CoTaskMemAlloc,~SyncLockT,memcpy,MkParseDisplayName,~SyncLockT,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Exploitation for Client Execution                      		1
                      Windows Service                      		1
                      Windows Service                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Clipboard Data                      		Exfiltration Over Bluetooth1
                      Non-Application Layer Protocol                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Service Execution                      		Logon Script (Windows)312
                      Process Injection                      		3
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                      Software Packing                      		NTDS35
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets21
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Masquerading                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Rundll32                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 595305 Sample: GpUSRuIBHx Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 43 canonicalizer.ucsuri.tcs 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures6 57 Changes memory attributes in foreign processes to executable or writable 11->57 59 Uses Atom Bombing / ProGate to inject into other processes 11->59 61 Queues an APC in another process (thread injection) 11->61 20 explorer.exe 2 75 11->20 injected 24 rundll32.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\WMsgAPI.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\dwmapi.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\SndVol.exe, PE32+ 20->39 dropped 41 26 other files (7 malicious) 20->41 dropped 53 Benign windows process drops PE files 20->53 26 SndVol.exe 20->26         started        29 rdpinput.exe 20->29         started        31 FileHistory.exe 1 20->31         started        33 21 other processes 20->33 signatures9 process10 signatures11 55 Contains functionality to automate explorer (e.g. start an application) 26->55

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      GpUSRuIBHx.dll70%VirustotalBrowse
                      GpUSRuIBHx.dll63%MetadefenderBrowse
                      GpUSRuIBHx.dll88%ReversingLabsWin64.Trojan.Occamy
                      GpUSRuIBHx.dll100%AviraTR/Crypt.XPACK.Gen7
                      GpUSRuIBHx.dll100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\6f22a\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\D6R1uM\DUser.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\Fjrn\WINSTA.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\6f22a\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\LoReH\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\LoReH\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\6f22a\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\D6R1uM\DUser.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\CSYG\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Fjrn\WINSTA.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\6f22a\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\LoReH\OLEACC.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\LoReH\OLEACC.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\2Yf2pw501\slui.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\2Yf2pw501\slui.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\6f22a\FileHistory.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\6f22a\FileHistory.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      18.2.FileHistory.exe.2d7d9c90000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      18.2.FileHistory.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll64.exe.23665550000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      0.2.loaddll64.exe.7ff8ba5d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      34.2.Utilman.exe.7ff8bb380000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.7ff8ba5d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.rdpinput.exe.1edbea50000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      22.2.SndVol.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      40.2.ProximityUxHost.exe.1b64bc90000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      28.2.slui.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      25.2.SnippingTool.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.7ff8ba5d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.7ff8ba5d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.1d069e40000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      22.2.SndVol.exe.1be81c30000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.1ed7c920000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      38.2.DmNotificationBroker.exe.140ded90000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      32.2.printfilterpipelinesvc.exe.1c1f8de0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      36.2.phoneactivate.exe.209a5e50000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      30.2.rdpinput.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.rdpinput.exe.7ff8ca980000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.1c8d5d60000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      30.2.rdpinput.exe.171ee190000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      38.2.DmNotificationBroker.exe.7ff8ca680000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      34.2.Utilman.exe.255917d0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      32.2.printfilterpipelinesvc.exe.7ff8bb380000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.7ff8ba5d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.21aaeee0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.SnippingTool.exe.168c9480000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      40.2.ProximityUxHost.exe.7ff8ca680000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      28.2.slui.exe.21e04fe0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      36.2.phoneactivate.exe.7ff8ca680000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ns.adobY0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dual-a-0001.a-msedge.net
                      		204.79.197.200
                      		truefalse
                        		high
                        canonicalizer.ucsuri.tcs
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ns.adobYexplorer.exe, 00000004.00000000.411736058.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.390915909.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.355411214.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.439321830.00000000026D0000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:595305
                          Start date and time:2022-03-23 14:41:42 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 16m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:GpUSRuIBHx (renamed file extension from none to dll)
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:41
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:1
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winDLL@64/31@1/0
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 32.6% (good quality ratio 23.9%)
                          • Quality average: 49.1%
                          • Quality standard deviation: 36.8%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.190.159.22, 20.190.159.1, 40.126.31.70, 20.190.159.70, 20.190.159.5, 40.126.31.64, 20.190.159.3, 40.126.31.68
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, a-0001.a-afdentry.net.trafficmanager.net, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\2HophZ6P\XmlLite.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.066584957420403
                          Encrypted:false
                          SSDEEP:12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
                          MD5:52E01AB79E9003A546318454EFB421FB
                          SHA1:56598E165CCF95720EC6862BD5D850587F30902F
                          SHA-256:39013B96E8FD7840563EC2C5EBD85401EC6E500E18634FCF3BF070A3917F36DF
                          SHA-512:6F47B027A4E43CD0A5D5F5FCF0F2A946C12577AB607966C65B104DA9EDE992FF17AB9E020A0AB2FB7E9FFC51AAC5FEA04FBB3248EC9E2C617FE2C0A78F113EB7
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):841728
                          Entropy (8bit):6.098715724182093
                          Encrypted:false
                          SSDEEP:12288:JvOaQRxqg2DF9GOdw+UEx3OlRrd7p1dj6znesD0Xk++J:JvOaut2hf7r+lRZl6ak+
                          MD5:4164BD4D8E23C672E40D203E4B4A38A7
                          SHA1:7D7BC2BEB5B3669764EB0CA10E1C3E820413F8CA
                          SHA-256:643F40ABCDA332944BBF92B4D2F846570A34B10BA0A0619B54F4FCF27AD116D0
                          SHA-512:39969503FDF09107FD3B35F8A29CFB640B96E4A7DD257F9561F8BD34A22DC93B7246A424FC22D06EB1D7A01717CD05DCC3C5B00FB13F222F30D09D7F2EC31BA4
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F...F...F...>I..F.."...F.."...F.."...F...F...G.."..^F.."...F.."%..F.."...F..Rich.F..................PE..d...!.i..........."......X...........b.........@..........................................`.......... ......................................`/..........X....p...u..............h.......T.......................(.......................@............................text....W.......X.................. ..`.rdata..>....p.......\..............@..@.data........P.......8..............@....pdata...u...p...v...B..............@..@.rsrc...X...........................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\2Yf2pw501\WTSAPI32.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.076486334846654
                          Encrypted:false
                          SSDEEP:12288:eZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:eZK6F7n5eRmDFJivohZFV
                          MD5:139E8C7A8F2D8A7AF205FA3F2C4D1EA7
                          SHA1:D6E7B262E7E2ED200186875C5D5B123DC397BA80
                          SHA-256:52B0ED5C7C71FC53DF99C24322B873C20F78444EAB0B6F093FA86CE1DCDF32D8
                          SHA-512:0C66074A6149BBAEB9A10389D8A480B3FE57EB3F9F98514C080D048FFCE5FD4D9BB7C7842ACBB759267DC238CDD3F64D52802696081748EBE3B708998C8DB8AE
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\2Yf2pw501\slui.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):445952
                          Entropy (8bit):6.661655128700218
                          Encrypted:false
                          SSDEEP:6144:q++gR8ZWU7WZ1rpvJw1DouE71kL3qY/W5R02qO7VKCyWQp:MgzKWZ1VJwEmDq3nyR
                          MD5:96A8EF9387619D17BB30B024DDF52BF3
                          SHA1:02DFA07143911500925C6298864477296F414AB0
                          SHA-256:ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A
                          SHA-512:01701BCFB3D3F09DF86CAF75ED76DC82A4B1480A284AB68FB4B7E4941466DB1ED23187B4D2E51B63C7526123EB4647FB5D155F31832E9ED7F4DBADF78F1F94EA
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.rMn.rMn.rMg..Mr.rM..qLm.rM..vLx.rM..wLj.rM..sL{.rMn.sM..rM..|Lv.rM...Mo.rM..pLo.rMRichn.rM........................PE..d...O.h{.........."..........0.................@............................. ............`.......... .......................................-...............`..........................T.......................(....................................................text...&........................... ..`.rdata..............................@..@.data........P.......*..............@....pdata.......`.......0..............@..@.rsrc................J..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\6f22a\FileHistory.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):246784
                          Entropy (8bit):6.054877934071265
                          Encrypted:false
                          SSDEEP:3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
                          MD5:989B5BDB2BEAC9F894BBC236F1B67967
                          SHA1:7B964642FEE2D6508E66C615AA6CF7FD95D6196E
                          SHA-256:FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
                          SHA-512:0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\6f22a\UxTheme.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.079592473637229
                          Encrypted:false
                          SSDEEP:12288:SZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:SZK6F7n5eRmDFJivohZFV
                          MD5:B5F32E397CE86A9CB3EBFB3B6F366367
                          SHA1:02D184436324DEEAE909FB30679C902949E0E1D3
                          SHA-256:D5A5310463837F98DD9273746ED845CD2928B1FA3699B2BAE4FEF5F0CFDF0E2B
                          SHA-512:ABB46329D4ED085D52A4C7ED6E590DC7CE95CF129A2D8C1F42827BBA8290EA94CD207E07CAC34363B592AB1B4BB58299A1FF74CD0D4EDF7145A6E4DF8BFC0C5D
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\CSYG\DUI70.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1654784
                          Entropy (8bit):5.5068060987929055
                          Encrypted:false
                          SSDEEP:12288:3ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwW2bXt:3ZK6F7n5eRmDFJivohZFVvL
                          MD5:CFBBAAFFD60DA5EAA23E4E2126D743A3
                          SHA1:1EE71CE1791D2FB5E2DCD515A9D0258487EE6044
                          SHA-256:3306757CEBBF8E9D6FB1C217CA621835CF67120EF37D9A56326427CFEA851F21
                          SHA-512:76735C5D56F23705FF3D4E8FDEE2E11D82F59EDC0F03B7A0B93470C528D61BC31BF00F2813CF1748CCA03986BB8DE484A8EAD0E22509A6D0D349DAA9397E4BF4
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@.............................@............`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):32256
                          Entropy (8bit):5.250876383836324
                          Encrypted:false
                          SSDEEP:768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
                          MD5:1643D5735213BC89C0012F0E48253765
                          SHA1:D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
                          SHA-256:4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
                          SHA-512:F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
                          Malicious:false
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d................."......*...V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(.......*.................. ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\D6R1uM\DUser.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1376256
                          Entropy (8bit):5.074660007590237
                          Encrypted:false
                          SSDEEP:12288:IZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw7:IZK6F7n5eRmDFJivohZFV7
                          MD5:E53857E285A4C8CB1F38A2248A75D9B3
                          SHA1:3AF95C6BF8F52ACA38C907D9D693FD587F4E015F
                          SHA-256:51890BB945271DD1BB68E1369540EC20FE2CB545D9B89890F2C6B507A469991A
                          SHA-512:7034AD6EFCB023220A61311AB4515D9BE2F5DBB08631CF247F81C397BE38A06E86F9841C0346FE87C21BFB83442A3E8227235B204FF7477DFD4F9D807EB596E7
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\D6R1uM\Utilman.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):5.996546491031358
                          Encrypted:false
                          SSDEEP:1536:3bo99g4+4G8mMM+nCA+o6UJMUHznV80KCt1p7Gx:LXH4GvNKAUHR80KCt/G
                          MD5:C91CCEF3884CFDE746B4BAEF5F1BC75C
                          SHA1:9A7E17BA64FE1842E904D4019D9BB9B005E61E55
                          SHA-256:E6C9C88491EF6FB4B4DAFAC3276C8E2A3B2BC3C4D7825F4EAA3AC99E1801195B
                          SHA-512:431754EC35871B2ED1F5E9FC621F24B6187720C0562D0ABDC9232A063DA1E8419A07CDC1740A3B433A80BA15FF25F0EAE0E5B331985A7B8ABC9CE8E73CBC210E
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....@..@..@..8@..@o..A..@o..A..@o..A..@o..A..@..@4.@o..A..@o.T@..@o..A..@Rich..@................PE..d....0..........."............................@....................................R................ .......................................L..,.......x.......................d...p...T............................................................................text............................... ..`.imrsiv..................................rdata...x.......z..................@..@.data................P..............@....pdata...............Z..............@..@.rsrc...x............d..............@..@.reloc..d............~..............@..B........................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Fjrn\WINSTA.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1376256
                          Entropy (8bit):5.0860522102577175
                          Encrypted:false
                          SSDEEP:12288:OZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:OZK6F7n5eRmDFJivohZFV
                          MD5:FBBA3564BA5F51259BE135DB99FAB04C
                          SHA1:BA142953FF1896712641B3494996B9EA499FEFD8
                          SHA-256:5D98C039970BBD9ED9C005F62E8CAF263AA0CAE097BE621E7465AE800987DDBD
                          SHA-512:BB559FF0FD7266C2E83B6E39911CDF742C67257C17C75D757C50D9CC762B7B87727396B2B58E10749515849EF9D3BE96A6C1CC8EC75A447936B4485C2C9626E0
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................m...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\Fjrn\rdpinput.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):178688
                          Entropy (8bit):6.278002754824444
                          Encrypted:false
                          SSDEEP:3072:8i0hLL+KEukKO40+enSqroxn2JIQLtBDYiBJD3cR4DJSpzrA:10d/O40+8Sqk4ZLnBt2tp/
                          MD5:4403785D297C55D5DF26176B4F1A52C8
                          SHA1:4889F6E0B3CF649C3A8778779D7CEA534B9174B2
                          SHA-256:7B8ED6EB50068D4C1B8E51F6F2E3604E6C3B6BB42C6D81ADD4C3B023B6386FF6
                          SHA-512:3BAFC7BAE2586F05F05125BF34299D556D46F519D718DAEF8007A0B45D40B0D3CD794A4C55B93CBC1BA2DF111346E6012DEEAD0539AEA91BE71E8ABC877E511F
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..s:..s:..s:..:..s:..p;..s:..w;..s:..v;..s:..r;..s:..r:..s:..z;..s:...:..s:..q;..s:Rich..s:........PE..d....9`..........."................. #.........@....................................&m....`.......... ..................................................p.......d.......................T............................A...............B...............................text...s........................... ..`.rdata..2n...0...p..."..............@..@.data...............................@....pdata..d...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\G6gv6e\AtBroker.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):62976
                          Entropy (8bit):5.750635515620841
                          Encrypted:false
                          SSDEEP:768:LqMH7HUyeCtu1URDrYxfxyLzkd0S2B3ZEI1yfdc9X1vV09SOI9HiEiOpF1QtNcEd:L3RtZkNxCk61BW6901I9HDF1QH8ST
                          MD5:E2C775244B3951A401A9083DD742029A
                          SHA1:B4DC87649038B7A4E86B5D6AEBAAD975ECE2F477
                          SHA-256:80CC3FB17D8CBB4A68F27C607A8D1C0208CEE892F6D2A2E222E18B23D4E0FC76
                          SHA-512:CCFABD50BF7F1F9D2DBF3D0F7FFC5A9C862F623472F9AE51A2F4EDB88EF06BCE23731A925405ACF5BF4BB466EA862413EA01B23177C710CA5FE97EA97E6B832C
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5`..q.b.q.b.q.b..ea.r.b..ef.d.b..eg.y.b..ec.b.b.q.c...b..ek.~.b..e..p.b..e`.p.b.Richq.b.........PE..d...=..~.........."..........d.................@.............................@............`.......... ............................................... ..8....................0......p...T...........................p...............p...@............................text.............................. ..`.rdata..8B.......D..................@..@.data...............................@....pdata..............................@..@.rsrc...8.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\G6gv6e\UxTheme.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.079555555268202
                          Encrypted:false
                          SSDEEP:12288:sZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:sZK6F7n5eRmDFJivohZFV
                          MD5:FEE466621F8AFBC6093E27846305DECE
                          SHA1:449724149967C4D9E91A7751BF4EAD687BB9843D
                          SHA-256:733A2C02B82BA8C993C216AB5CA6EAA3DF4620226A5BB54A85A140BF69E48AEF
                          SHA-512:EBE75C5BF620374A50D51B0E3AEDDC0499E96404761470217183BB62CF8153F7BC3A71948F8BB225775FD8E8860FE0C89BAFC8E7BA52B2F3BA8C076C5E2F106A
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\Kyz7D\WTSAPI32.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.076527741249057
                          Encrypted:false
                          SSDEEP:12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
                          MD5:4384579040D56FD57B803F7511EDBDE6
                          SHA1:0ECBE10487CC3A4279AE4C67CEB1FDBC9AAE5767
                          SHA-256:54AC63AA9C154D172CEBA33E5CB6FBCED2D130148F7BC2BF146464F6B3C995EE
                          SHA-512:82527458FB44B510B1406527551D53C5A9EEECCAF7AC52C54CF890F7B2D84532ED235F6B7D8F24A48D939DB413D22F38062468E9CEE54C720BC1792D170D4DAF
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):178688
                          Entropy (8bit):6.278002754824444
                          Encrypted:false
                          SSDEEP:3072:8i0hLL+KEukKO40+enSqroxn2JIQLtBDYiBJD3cR4DJSpzrA:10d/O40+8Sqk4ZLnBt2tp/
                          MD5:4403785D297C55D5DF26176B4F1A52C8
                          SHA1:4889F6E0B3CF649C3A8778779D7CEA534B9174B2
                          SHA-256:7B8ED6EB50068D4C1B8E51F6F2E3604E6C3B6BB42C6D81ADD4C3B023B6386FF6
                          SHA-512:3BAFC7BAE2586F05F05125BF34299D556D46F519D718DAEF8007A0B45D40B0D3CD794A4C55B93CBC1BA2DF111346E6012DEEAD0539AEA91BE71E8ABC877E511F
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..s:..s:..s:..:..s:..p;..s:..w;..s:..v;..s:..r;..s:..r:..s:..z;..s:...:..s:..q;..s:Rich..s:........PE..d....9`..........."................. #.........@....................................&m....`.......... ..................................................p.......d.......................T............................A...............B...............................text...s........................... ..`.rdata..2n...0...p..."..............@..@.data...............................@....pdata..d...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\LoReH\OLEACC.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.069764908705699
                          Encrypted:false
                          SSDEEP:12288:uZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:uZK6F7n5eRmDFJivohZFV
                          MD5:488339CCCB8069AA1F4D361DC71CC57B
                          SHA1:FAA4C69A7BCC7E7D9E51D4B43B07128AFDA14901
                          SHA-256:DD75F8939D20001A6EA39B113EA82700B842FEBF17598BCB2F3B94681BA0200B
                          SHA-512:004B508835CCAD846CF19F21C9EAB9F188E79A4F4D3C89171FFC40022D65CEE2721490B4E21177A8A72CE3D2611814CAF402212D473A7CBB7BE7414AEDAE7D33
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\LoReH\SnippingTool.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):3292160
                          Entropy (8bit):4.311007815185121
                          Encrypted:false
                          SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
                          MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
                          SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
                          SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
                          SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):42
                          Entropy (8bit):4.0050635535766075
                          Encrypted:false
                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                          Malicious:false
                          Reputation:unknown
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                          C:\Users\user\AppData\Local\Ui9PsZ9\OLEACC.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.0697307938945215
                          Encrypted:false
                          SSDEEP:12288:JZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:JZK6F7n5eRmDFJivohZFV
                          MD5:66AAD5D9E18874517CFDF3554D87B2A2
                          SHA1:A8753910F8CCA16980D08D7BAB32371C341576AF
                          SHA-256:47DE30D9FA852851AF9462DDC79DADAA73F270EA429264EDC5159CCA2577DEB6
                          SHA-512:BAFC276095729B1213B63A67484349359A3F1729CF1796C4C9EF33E128309BEE019C456C012E4EE8C42B6370AEF353E6AA45F76AD88D80A7EA44801F3AA71D65
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\bTcR2e\SndVol.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):259904
                          Entropy (8bit):5.955701055747905
                          Encrypted:false
                          SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
                          MD5:CDD7C7DF2D0859AC3F4088423D11BD08
                          SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
                          SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
                          SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
                          Malicious:true
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

                          C:\Users\user\AppData\Local\bTcR2e\dwmapi.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.073973927598516
                          Encrypted:false
                          SSDEEP:12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
                          MD5:48C36CC6ADF7DE6F96D11BC1D2B68952
                          SHA1:EA3B2200BA9760095E1472EF38DFB4170DBBC7B2
                          SHA-256:D1800979A9F1D68E94B7F47B0087EDDDBEC124C109B09FEEA09EEE1F801D81F5
                          SHA-512:5E2DF5ED5597527E22E33CEB72510DF41466E37C9055666D2F35EE1F2CB30250BA0F17C83E7B3E1AB814788B918C2329F9F2860580B14DF81A7B9CA2FCC34935
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................&...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\l5T\XmlLite.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.066584527926527
                          Encrypted:false
                          SSDEEP:12288:GZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:GZK6F7n5eRmDFJivohZFV
                          MD5:2455197D114CD7C9932979153ED6B9DE
                          SHA1:18D6D668DAACF859CC19CFD702238B1B082535BD
                          SHA-256:91A1808AD24EE0A139492D1AC9F52195C19C070B82E3D4DFC016F32BF2C9B70A
                          SHA-512:3AD994C1BF3055DDE2FF2217BE05A3B537102B3AB0C4CBEAD6B6782E8B2D37D4984F3ABAAC036B43C2BB2AE9F378E242D4C861CB9E0AF22FC9DD59E9C137F9CA
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\l5T\omadmclient.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):315904
                          Entropy (8bit):6.1346795928867035
                          Encrypted:false
                          SSDEEP:6144:uwqIVaD9RkjUYNBDXEDBdcA1gBnbC03j0xjGKEgsQOQ25te8lG:XqIVaDrn6BD0NOA1gBnfj01QW
                          MD5:AD7C6CD7A8EEC95808AA77C5D7987941
                          SHA1:96985DDF5C2C30918F69CA4405D955BDD0C7E44E
                          SHA-256:D7EED58A955ED6ADEF429FA78F82776BBC905C507E1ABE6D5CFCD5C8AC1B0AC9
                          SHA-512:047EA8C542774045450B51BF367C75B4ED11E883553842BCACD9E6DFC4C27CDC8BE86A9BADFD5345DA068B4A881BC8522525BF9CEC72FEE1856E365E7CD2015E
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`2.K$S~.$S~.$S~.-+..nS~.K7}.'S~.K7z.1S~.$S...R~.K7..=S~.K7{.)S~.K7w..S~.K7..%S~.K7|.%S~.Rich$S~.........................PE..d...H..-.........."......d...x.......J.........@.............................@............`.......... .............................................. ........... ...........0..........T.......................(...................8...8...........................text....b.......d.................. ..`.rdata..~4.......6...h..............@..@.data...l...........................@....pdata... ......."..................@..@.didat..............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\oOQGGow\DUI70.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1654784
                          Entropy (8bit):5.50689551347506
                          Encrypted:false
                          SSDEEP:12288:UZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwkt:UZK6F7n5eRmDFJivohZFVk
                          MD5:8C330DCE7F7E0C1054A3AAFACF8FD93C
                          SHA1:A543BE373A7875FA70B18151AE9937FD81C7B642
                          SHA-256:E494E4EDD78008824CB90A18302CCD6347A3F2163B652F09D4326BA863308F73
                          SHA-512:DE0851884D8ED3863B12DF1C53C0382B3E4B7C3D2BDDADF3A76791AE79DAEA28AD64544A3101A30C58CA367C3EECA260FFDFD5E2532B0E5781C87A36F79EC8F8
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@.............................@............`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):264480
                          Entropy (8bit):6.478365286411354
                          Encrypted:false
                          SSDEEP:6144:xSt+s2GFGbqEuzhJONjx9UVuCuHpwqr/vt9r+ULJBaBpcIFz:xStzFGbGhoPgMHpwqrHthUB6IF
                          MD5:E7F0E9B3779E54CD271959C600A2A531
                          SHA1:8006E2D1AA91798E48D8BFDE1EBF94A2D6BA6C0A
                          SHA-256:155CE33E0E145314FE9D8911BE69B8CBBD2AC09B7B6D98363F9BAA277C71954E
                          SHA-512:E10C3FD9C5F34260323CEC9E8EEDF2290F40254F0FFDCA582DB57D113B32871793CDFFF03D55941EF5E79FA8141803AB353BA4938357A4555233F2D090045338
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B..K.`.&..-..A..-...U..-...K..-..U..B..t..-...]..-...C..-..C..RichB..........PE..d...;.*Q.........."............................@............................. ......&................ ..................................................H.......T....... +..........Pa..T...................p3..(...p2...............3...............................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...x...........................@....pdata..T...........................@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\op5PCy\DUI70.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1654784
                          Entropy (8bit):5.506636144897031
                          Encrypted:false
                          SSDEEP:12288:bZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwlCat:bZK6F7n5eRmDFJivohZFVlD
                          MD5:B21D0B4EEDE745E1C527C304BC803F8A
                          SHA1:0EFFD1FC33D4C0B4972B8AD1D5A481B59F623D15
                          SHA-256:5C4DF307C0D2E137852AE87435AF221D1365B1990A58FCEAAC73263EB08E27CD
                          SHA-512:30235E5F81A1586F8D44D79F7D864669D608CE99342BB1A329E6BB3F3422CC6CBB7C5D74A2136B5374AC3FEE30C1F0283420EE0C5F9A1A258C1E5C2A27E897EF
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@.............................@............`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):107504
                          Entropy (8bit):6.536585324272613
                          Encrypted:false
                          SSDEEP:1536:UhKYFAVrKO6PcIgpCaYov3ZKCZwaG70Ur/61cVtat/gLaoU0Sj09P0e:dmlPcNphvo0mtV1La8Lse
                          MD5:09D1974A03068D4311F1CE94B765E817
                          SHA1:7DD683571E4DCCAF181A5271BBCF15B3BC9D0155
                          SHA-256:5D4F713CFC98E7148B67D063193D93BFE29F8329705A03690590633FADE32EE5
                          SHA-512:07FD0700C8368485BEC91847C4B9721B059FEDB678C603A57FBD5DABCF110C80B0BD1D114384D4334F0412F3F4FD93C839A1B17F3A9F02C25CD59216692A8AC9
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.......................................O.....................Rich............................PE..d.....^...........".................`..........@....................................;;............... .......................................0.......p.. J...`.......~...%..........`"..T.......................(....................................................text............................... ..`.imrsiv..................................rdata...I.......J..................@..@.data...8....P.......$..............@....pdata.......`.......&..............@..@.rsrc... J...p...L...0..............@..@.reloc...............|..............@..B................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\rDAhA\WMsgAPI.dll

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):1372160
                          Entropy (8bit):5.066183661537441
                          Encrypted:false
                          SSDEEP:12288:lZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:lZK6F7n5eRmDFJivohZFV
                          MD5:B92B9B63E4AB54171E00DEE18C499D86
                          SHA1:570ADD4C1D784036CB1F6260448D6F3DE4B4F76F
                          SHA-256:9F42BA0E8B9707A120985207030E554233EF0F221F2859DA5C88D9D88D41FEBB
                          SHA-512:F9D89B45E834154B3AEDCEA23EBEEC5E632F3815C1F314C90B69D23AB4A9E3A7DB7D6231D0BB5F0648397049C7A2273F8625549F45562E7E8BB8B2CE9DE1345C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                          C:\Users\user\AppData\Local\rDAhA\consent.exe

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):157080
                          Entropy (8bit):5.924344092826888
                          Encrypted:false
                          SSDEEP:3072:4eana1Hze2vHL+u5F28BrciRXBis72z5B+o:Aa1TfD+u5F2wrTio2z2o
                          MD5:74D31E4F51873160D91B1F80E0C472D0
                          SHA1:35DEC0D1A12C6F1F7A460E3AE75E4D74D5BD815A
                          SHA-256:113813A699063EBF391D436A4EFE0B6F95F81E12AF773FABE5511B5CA08E189C
                          SHA-512:F026CBBDF3792A05091B3CC0A97F825D353BC5FF9AB7248F4544B81BA2F86FD28CEB04468D755715BB3BD220BB72781DC079423D912A56E3793AC1687AEE7E05
                          Malicious:false
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y_GE.>)..>)..>)..F..Y>).rZ*..>).rZ-..>).rZ,..>).rZ(..>)..>(.9?).rZ'..>).rZ...>).rZ+..>).Rich.>).................PE..d...i.7.........."..........H.......C.........@..................................................... ......................................PP..\...............h....D...!..........0%..T...........................................(...(...HL.......................text............................... ..`.rdata...c.......d..................@..@.data...l............h..............@....pdata..h............j..............@..@.didat...............x..............@...consent.b............z..............@....rsrc................|..............@..@.reloc...............B..............@..B................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\eb42b1a5c308fc11edf1ddbdd25c8486_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1454
                          Entropy (8bit):7.36525526598561
                          Encrypted:false
                          SSDEEP:24:wk5hikT2UP04Kv5qEpIKAeWI8tTBe8NpXvTyCacF1wAS8i8bz98ryrHF1wskGl:w3kT2UP0pUEmKY/xyOMAS8i8bh8GrHFd
                          MD5:7134EEA4FE32F1314E23325499370847
                          SHA1:5C9520DBFCFD0322D7D23AB1D92B2F5400289E27
                          SHA-256:A88E4C07558257D2D4AFE6DCF9FCA843A8B496508F8A785896A55A1EEAB52A2B
                          SHA-512:8B50069FEC5CA60731AB1E221120A5B74320206D9DE5B705A7936501EFFAC01752C96D0C607B2AFF1F4FD780F9749F7850BED0D7B37F518852A2E3935C60776C
                          Malicious:false
                          Reputation:unknown
                          Preview:........................................user.....................RSA1.................1........M......E.....q+..?w.N..'6...>(L.....k.....v.S..}.w.9,0.&@..a.Cp....-?.....b...a."....._..j...,...1.6.].9.<W}{. ......................z..O..........bn.C..~P..y7....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....E.x...`.mU.I...]....o(.[............... ......t.#M6X.=)..Cz..3..(U;..D.,.......S/...5._s.:..V..,+..%\....a.%)......X.H..^S..y...~.]a.+H..."..R.my].4o_....b.ibx..}...L...".^_.PcQ.F..*...).......^#Y...\...j?!zW..rVw>....X818b#..Rv0.J...T.3.....z....UB.k.b.h.d...m1.v.S)...H.!...?..W].5.!>9.G..#.......&.<e...9.fAg....0,....,S2.....`.R]....m.%...:N.:....E.j6.w...M~..?.S..(....f.h.{..(.(..q..z|.....{...|:3.~.....R.&...O>A...L...]h.x..~..7Hmd!..~E..2..%K.g....t.K...!ht...(........k...~..r..."..p.*..'.[.....b]w.J.....z.u...<.6.y.Ls....Xy...:P%.....{.lE.3.z^..N.UZ.t,./.m..-..F.M..t3......w.5.F.0............=a.....\/t....mS...m...n...

                          Static File Info

                          General

                          File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Entropy (8bit):5.088563317300119
                          TrID:
                          • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                          • Win64 Executable (generic) (12005/4) 10.17%
                          • Generic Win/DOS Executable (2004/3) 1.70%
                          • DOS Executable Generic (2002/1) 1.70%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                          File name:GpUSRuIBHx.dll
                          File size:1368064
                          MD5:288c35481252c1212cbb764c490c2ad8
                          SHA1:9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
                          SHA256:cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
                          SHA512:8a3b343ad8819f09f94868b19ab6f94a6fdf852f3c5183a371cd323a57af0b7fb9d5249516044e8f59721e6220ecd43338b6990c56cb0006840842cb923be112
                          SSDEEP:12288:pZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:pZK6F7n5eRmDFJivohZFV
                          File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                          File Icon

                          Icon Hash:74f0e4ecccdce0e4

                          Static PE Info

                          General

                          Entrypoint:0x1400424b0
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x140000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                          Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2

                          Entrypoint Preview

                          Instruction
                          dec eax
                          mov dword ptr [00070639h], ecx
                          dec eax
                          lea ecx, dword ptr [FFFFF2F2h]
                          dec esp
                          mov dword ptr [0007064Bh], eax
                          dec esp
                          mov dword ptr [00070654h], edi
                          dec esp
                          mov dword ptr [00070655h], esi
                          dec eax
                          xor eax, eax
                          dec eax
                          inc eax
                          dec eax
                          add ecx, eax
                          dec esp
                          mov dword ptr [00070655h], esp
                          dec eax
                          dec ecx
                          dec eax
                          mov dword ptr [00070653h], esi
                          dec eax
                          test eax, eax
                          je 00007F4CC8D5BFFDh
                          dec eax
                          mov dword ptr [0007060Fh], esp
                          dec eax
                          mov dword ptr [00070600h], ebp
                          dec eax
                          mov dword ptr [00070649h], ebx
                          dec eax
                          mov dword ptr [0007063Ah], edi
                          dec eax
                          test eax, eax
                          je 00007F4CC8D5BFDCh
                          dec esp
                          mov dword ptr [000705FEh], ecx
                          dec esp
                          mov dword ptr [0007060Fh], ebp
                          dec eax
                          mov dword ptr [000705D0h], edx
                          jmp ecx
                          dec eax
                          add edi, ecx
                          retn 0008h
                          ud2
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          push esi
                          dec eax
                          sub esp, 00000080h
                          dec eax
                          mov dword ptr [esp+78h], 58225FC8h
                          mov dword ptr [esp+60h], 2DFAE652h
                          mov al, byte ptr [esp+77h]
                          mov dl, al
                          add dl, FFFFFF85h
                          mov byte ptr [esp+77h], dl
                          mov word ptr [esp+5Eh], 3327h
                          dec esp
                          mov eax, dword ptr [esp+78h]
                          inc esp
                          mov ecx, dword ptr [esp+64h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x14d0100x886.adsxi
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x430000x66f430x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .gsroye0x1480000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .vcmr0x14a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .kvjqnl0x14b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .ikzlp0x14c0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .adsxi0x14d0000x8960x1000False0.211181640625data3.76807441258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                          RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          ADVAPI32.dllGetServiceDisplayNameW
                          KERNEL32.dllLoadLibraryA, HeapUnlock

                          Exports

                          NameOrdinalAddress
                          ??0VolumeFveStatus@@IEAA@XZ10x14000279c
                          ??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z20x14003536c
                          ??4BuiVolume@@QEAAAEAV0@AEBV0@@Z30x1400326c8
                          ??4VolumeFveStatus@@QEAAAEAV0@$$QEAV0@@Z40x14003eb90
                          ??4VolumeFveStatus@@QEAAAEAV0@AEBV0@@Z50x140042688
                          ?FailedDryRun@VolumeFveStatus@@QEBA_NXZ60x14002e2f4
                          ?GetExtendedFlags@VolumeFveStatus@@QEBA_KXZ70x14001886c
                          ?GetLastConvertStatus@VolumeFveStatus@@QEBAJXZ80x1400131ac
                          ?GetStatusFlags@VolumeFveStatus@@QEBAKXZ90x14002279c
                          ?HasExternalKey@VolumeFveStatus@@QEBA_NXZ100x140004da8
                          ?HasPBKDF2RecoveryPassword@VolumeFveStatus@@QEBA_NXZ110x14001bab4
                          ?HasPassphraseProtector@VolumeFveStatus@@QEBA_NXZ120x140002c38
                          ?HasPinProtector@VolumeFveStatus@@QEBA_NXZ130x140013d50
                          ?HasRecoveryData@VolumeFveStatus@@QEBA_NXZ140x14000ab2c
                          ?HasRecoveryPassword@VolumeFveStatus@@QEBA_NXZ150x14003fff4
                          ?HasSmartCardProtector@VolumeFveStatus@@QEBA_NXZ160x14003af44
                          ?HasStartupKeyProtector@VolumeFveStatus@@QEBA_NXZ170x140031fe4
                          ?HasTpmProtector@VolumeFveStatus@@QEBA_NXZ180x140003984
                          ?IsConverting@VolumeFveStatus@@QEBA_NXZ190x140006b8c
                          ?IsCsvMetadataVolume@VolumeFveStatus@@QEBA_NXZ200x1400395bc
                          ?IsDEAutoProvisioned@VolumeFveStatus@@QEBA_NXZ210x14003fa38
                          ?IsDecrypted@VolumeFveStatus@@QEBA_NXZ220x140016024
                          ?IsDecrypting@VolumeFveStatus@@QEBA_NXZ230x14003e0b0
                          ?IsDisabled@VolumeFveStatus@@QEBA_NXZ240x1400088e8
                          ?IsEDriveVolume@VolumeFveStatus@@QEBA_NXZ250x14000cdac
                          ?IsEncrypted@VolumeFveStatus@@QEBA_NXZ260x1400393d0
                          ?IsEncrypting@VolumeFveStatus@@QEBA_NXZ270x140018384
                          ?IsLocked@VolumeFveStatus@@QEBA_NXZ280x140042060
                          ?IsOn@VolumeFveStatus@@QEBA_NXZ290x140023538
                          ?IsOsCriticalVolume@VolumeFveStatus@@QEBA_NXZ300x14000412c
                          ?IsOsVolume@VolumeFveStatus@@QEBA_NXZ310x1400212c4
                          ?IsPartiallyConverted@VolumeFveStatus@@QEBA_NXZ320x14003ab20
                          ?IsPaused@VolumeFveStatus@@QEBA_NXZ330x140036390
                          ?IsPreProvisioned@VolumeFveStatus@@QEBA_NXZ340x140040cd4
                          ?IsRoamingDevice@VolumeFveStatus@@QEBA_NXZ350x14001bf04
                          ?IsSecure@VolumeFveStatus@@QEBA_NXZ360x1400041b0
                          ?IsUnknownFveVersion@VolumeFveStatus@@QEBA_NXZ370x14003239c
                          ?IsWiping@VolumeFveStatus@@QEBA_NXZ380x140020f68
                          ?NO_DRIVE_LETTER@BuiVolume@@2IB390x14003905c
                          ?NeedsRestart@VolumeFveStatus@@QEBA_NXZ400x140009f9c
                          FveuiWizard410x140039d64
                          FveuipClearFveWizOnStartup420x14002bf34

                          Version Infos

                          DescriptionData
                          LegalCopyright Microsoft Corporation. All rights
                          InternalNamedpnhup
                          FileVersion1.56
                          CompanyNameMicrosoft C
                          ProductNameSysinternals Streams
                          ProductVersion6.1
                          FileDescriptionThai K
                          OriginalFilenamedpnhupnp.d
                          Translation0x0409 0x04b0

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 23, 2022 15:47:01.145245075 CET5390753192.168.2.78.8.8.8
                          Mar 23, 2022 15:47:01.164192915 CET53539078.8.8.8192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Mar 23, 2022 15:47:01.145245075 CET192.168.2.78.8.8.80xa82Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Mar 23, 2022 15:47:00.687875986 CET8.8.8.8192.168.2.70x41b3No error (0)www-bing-com.dual-a-0001.a-msedge.netdual-a-0001.a-msedge.netCNAME (Canonical name)IN (0x0001)
                          Mar 23, 2022 15:47:00.687875986 CET8.8.8.8192.168.2.70x41b3No error (0)dual-a-0001.a-msedge.net204.79.197.200A (IP address)IN (0x0001)
                          Mar 23, 2022 15:47:00.687875986 CET8.8.8.8192.168.2.70x41b3No error (0)dual-a-0001.a-msedge.net13.107.21.200A (IP address)IN (0x0001)
                          Mar 23, 2022 15:47:00.713713884 CET8.8.8.8192.168.2.70x7827No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                          Mar 23, 2022 15:47:01.164192915 CET8.8.8.8192.168.2.70xa82Name error (3)canonicalizer.ucsuri.tcsnonenoneA (IP address)IN (0x0001)

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:15:42:50
                          Start date:23/03/2022
                          Path:C:\Windows\System32\loaddll64.exe
                          Wow64 process (32bit):false
                          Commandline:loaddll64.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll"
                          Imagebase:0x7ff63d400000
                          File size:140288 bytes
                          MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.372939527.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:moderate

                          General

                          Target ID:1
                          Start time:15:42:51
                          Start date:23/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                          Imagebase:0x7ff6a6590000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:15:42:51
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@IEAA@XZ
                          Imagebase:0x7ff7c5d30000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.470593131.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:3
                          Start time:15:42:52
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe "C:\Users\user\Desktop\GpUSRuIBHx.dll",#1
                          Imagebase:0x7ff7c5d30000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.352441583.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:4
                          Start time:15:42:54
                          Start date:23/03/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff631f70000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:5
                          Start time:15:42:55
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??0VolumeFveStatus@@QEAA@K_KJW4_FVE_WIPING_STATE@@@Z
                          Imagebase:0x7ff7c5d30000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.358622486.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:6
                          Start time:15:42:59
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32.exe C:\Users\user\Desktop\GpUSRuIBHx.dll,??4BuiVolume@@QEAAAEAV0@AEBV0@@Z
                          Imagebase:0x7ff7c5d30000
                          File size:69632 bytes
                          MD5 hash:73C519F050C20580F8A62C849D49215A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.366331885.00007FF8BA5D1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:14
                          Start time:15:43:34
                          Start date:23/03/2022
                          Path:C:\Windows\System32\BackgroundTransferHost.exe
                          Wow64 process (32bit):false
                          Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                          Imagebase:0x7ff7e4fa0000
                          File size:36864 bytes
                          MD5 hash:02BA81746B929ECC9DB6665589B68335
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:17
                          Start time:15:43:51
                          Start date:23/03/2022
                          Path:C:\Windows\System32\FileHistory.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\FileHistory.exe
                          Imagebase:0x7ff693090000
                          File size:246784 bytes
                          MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:18
                          Start time:15:43:53
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\6f22a\FileHistory.exe
                          Imagebase:0x7ff6d0a30000
                          File size:246784 bytes
                          MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.484522001.00007FF8CA981000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 0%, Metadefender, Browse
                          • Detection: 0%, ReversingLabs

                          General

                          Target ID:19
                          Start time:15:43:56
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rdpinput.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\rdpinput.exe
                          Imagebase:0x7ff7e8070000
                          File size:178688 bytes
                          MD5 hash:4403785D297C55D5DF26176B4F1A52C8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:20
                          Start time:15:43:57
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\Kyz7D\rdpinput.exe
                          Imagebase:0x7ff7bada0000
                          File size:178688 bytes
                          MD5 hash:4403785D297C55D5DF26176B4F1A52C8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.512496248.00007FF8CA981000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security

                          General

                          Target ID:21
                          Start time:15:44:09
                          Start date:23/03/2022
                          Path:C:\Windows\System32\SndVol.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\SndVol.exe
                          Imagebase:0x7ff7678e0000
                          File size:259904 bytes
                          MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:22
                          Start time:15:44:11
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\bTcR2e\SndVol.exe
                          Imagebase:0x7ff6c1bb0000
                          File size:259904 bytes
                          MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000016.00000002.541815176.00007FF8CA981000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security

                          General

                          Target ID:24
                          Start time:15:44:23
                          Start date:23/03/2022
                          Path:C:\Windows\System32\SnippingTool.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\SnippingTool.exe
                          Imagebase:0x7ff61af50000
                          File size:3292160 bytes
                          MD5 hash:9012F9C6AC7F3F99ECDD37E24C9AC3BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:25
                          Start time:15:44:24
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\LoReH\SnippingTool.exe
                          Imagebase:0x7ff70c3f0000
                          File size:3292160 bytes
                          MD5 hash:9012F9C6AC7F3F99ECDD37E24C9AC3BB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.581334481.00007FF8CA981000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security

                          General

                          Target ID:27
                          Start time:15:44:41
                          Start date:23/03/2022
                          Path:C:\Windows\System32\slui.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\slui.exe
                          Imagebase:0x7ff71ca20000
                          File size:445952 bytes
                          MD5 hash:96A8EF9387619D17BB30B024DDF52BF3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:28
                          Start time:15:44:43
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\2Yf2pw501\slui.exe
                          Imagebase:0x7ff6a3f20000
                          File size:445952 bytes
                          MD5 hash:96A8EF9387619D17BB30B024DDF52BF3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.616859661.00007FF8CA981000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 0%, Metadefender, Browse
                          • Detection: 0%, ReversingLabs

                          General

                          Target ID:29
                          Start time:15:44:58
                          Start date:23/03/2022
                          Path:C:\Windows\System32\rdpinput.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\rdpinput.exe
                          Imagebase:0x7ff7dae40000
                          File size:178688 bytes
                          MD5 hash:4403785D297C55D5DF26176B4F1A52C8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:30
                          Start time:15:45:00
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\Fjrn\rdpinput.exe
                          Imagebase:0x7ff64db80000
                          File size:178688 bytes
                          MD5 hash:4403785D297C55D5DF26176B4F1A52C8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001E.00000002.646421042.00007FF8CA981000.00000020.00000001.01000000.00000015.sdmp, Author: Joe Security

                          General

                          Target ID:31
                          Start time:15:45:11
                          Start date:23/03/2022
                          Path:C:\Windows\System32\printfilterpipelinesvc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\printfilterpipelinesvc.exe
                          Imagebase:0x7ff6fba90000
                          File size:841728 bytes
                          MD5 hash:4164BD4D8E23C672E40D203E4B4A38A7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:32
                          Start time:15:45:13
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\2HophZ6P\printfilterpipelinesvc.exe
                          Imagebase:0x7ff6b4120000
                          File size:841728 bytes
                          MD5 hash:4164BD4D8E23C672E40D203E4B4A38A7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.678112483.00007FF8BB381000.00000020.00000001.01000000.00000017.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 0%, Metadefender, Browse
                          • Detection: 0%, ReversingLabs

                          General

                          Target ID:33
                          Start time:15:45:26
                          Start date:23/03/2022
                          Path:C:\Windows\System32\Utilman.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\Utilman.exe
                          Imagebase:0x7ff6a6470000
                          File size:98304 bytes
                          MD5 hash:C91CCEF3884CFDE746B4BAEF5F1BC75C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:34
                          Start time:15:45:28
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\D6R1uM\Utilman.exe
                          Imagebase:0x7ff7c58b0000
                          File size:98304 bytes
                          MD5 hash:C91CCEF3884CFDE746B4BAEF5F1BC75C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.705952583.00007FF8BB381000.00000020.00000001.01000000.00000019.sdmp, Author: Joe Security

                          General

                          Target ID:35
                          Start time:15:45:39
                          Start date:23/03/2022
                          Path:C:\Windows\System32\phoneactivate.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\phoneactivate.exe
                          Imagebase:0x7ff730a10000
                          File size:107504 bytes
                          MD5 hash:09D1974A03068D4311F1CE94B765E817
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:36
                          Start time:15:45:44
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\op5PCy\phoneactivate.exe
                          Imagebase:0x7ff7f2eb0000
                          File size:107504 bytes
                          MD5 hash:09D1974A03068D4311F1CE94B765E817
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.746490737.00007FF8CA681000.00000020.00000001.01000000.0000001B.sdmp, Author: Joe Security

                          General

                          Target ID:37
                          Start time:15:45:58
                          Start date:23/03/2022
                          Path:C:\Windows\System32\DmNotificationBroker.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\DmNotificationBroker.exe
                          Imagebase:0x7ff7f1a50000
                          File size:32256 bytes
                          MD5 hash:1643D5735213BC89C0012F0E48253765
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:38
                          Start time:15:46:04
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\CSYG\DmNotificationBroker.exe
                          Imagebase:0x7ff7bfef0000
                          File size:32256 bytes
                          MD5 hash:1643D5735213BC89C0012F0E48253765
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000026.00000002.791054747.00007FF8CA681000.00000020.00000001.01000000.0000001E.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 0%, Metadefender, Browse
                          • Detection: 0%, ReversingLabs

                          General

                          Target ID:39
                          Start time:15:46:19
                          Start date:23/03/2022
                          Path:C:\Windows\System32\ProximityUxHost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\ProximityUxHost.exe
                          Imagebase:0x7ff68fe50000
                          File size:264480 bytes
                          MD5 hash:E7F0E9B3779E54CD271959C600A2A531
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:40
                          Start time:15:46:25
                          Start date:23/03/2022
                          Path:C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\oOQGGow\ProximityUxHost.exe
                          Imagebase:0x7ff777300000
                          File size:264480 bytes
                          MD5 hash:E7F0E9B3779E54CD271959C600A2A531
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.836674261.00007FF8CA681000.00000020.00000001.01000000.00000020.sdmp, Author: Joe Security

                          General

                          Target ID:41
                          Start time:15:46:40
                          Start date:23/03/2022
                          Path:C:\Windows\System32\omadmclient.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\omadmclient.exe
                          Imagebase:0x7ff6e6700000
                          File size:315904 bytes
                          MD5 hash:AD7C6CD7A8EEC95808AA77C5D7987941
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Disassembly

                          No disassembly