Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eWlldJYfLc

Overview

General Information

Sample Name:eWlldJYfLc (renamed file extension from none to dll)
Analysis ID:595308
MD5:d098d01cbea52f858bce6d0d9faa5b26
SHA1:952ce9cd899108c2821bf488b98387b6db8424b8
SHA256:82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7088 cmdline: loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7112 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • sdclt.exe (PID: 3960 cmdline: C:\Windows\system32\sdclt.exe MD5: 0632A8402C6504CD541AC93676AAD0F5)
        • CloudNotifications.exe (PID: 5876 cmdline: C:\Windows\system32\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • CloudNotifications.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)
        • systemreset.exe (PID: 6544 cmdline: C:\Windows\system32\systemreset.exe MD5: 872AE9FE08ED1AA78208678967BE2FEF)
        • Dxpserver.exe (PID: 3500 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • Dxpserver.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)
        • mfpmp.exe (PID: 5604 cmdline: C:\Windows\system32\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • mfpmp.exe (PID: 3464 cmdline: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)
        • msra.exe (PID: 1908 cmdline: C:\Windows\system32\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)
        • mstsc.exe (PID: 7132 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • mstsc.exe (PID: 3176 cmdline: C:\Users\user\AppData\Local\n0R5g\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)
        • SndVol.exe (PID: 5936 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
        • SndVol.exe (PID: 5900 cmdline: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)
    • rundll32.exe (PID: 5384 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3156 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            33.2.mstsc.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              35.2.SndVol.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                20.2.CloudNotifications.exe.7ffc74c20000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  8.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    2.2.rundll32.exe.7ffc670c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Svchost Process
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ProcessId: 7132
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: eWlldJYfLc.dllVirustotal: Detection: 67%Perma Link
                      Source: eWlldJYfLc.dllMetadefender: Detection: 60%Perma Link
                      Source: eWlldJYfLc.dllReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sample
                      Source: eWlldJYfLc.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Machine Learning detection for sample
                      Source: eWlldJYfLc.dllJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310EFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310F224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F52C CryptProtectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B877F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,

                      Exploits

                      barindex
                      Accesses ntoskrnl, likely to find offsets for exploits
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\ntkrnlmp.exe
                      Source: eWlldJYfLc.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
                      Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
                      Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
                      Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
                      Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                      Source: svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
                      Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
                      Source: svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
                      Source: DeviceEnroller.exe.4.drString found in binary or memory: https://login.windows.net-%s
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 33.2.mstsc.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 35.2.SndVol.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.CloudNotifications.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.Dxpserver.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.mfpmp.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY

                      System Summary

                      barindex
                      PE file contains section with special chars
                      Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67113150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67134FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67140820
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6710F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67115840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67125760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713BF6F
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67120770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C590
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F25C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F2E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67110650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67118D20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670ED550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67124390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67114BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713FC00
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67129410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671282A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67122AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67127AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671122C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67125B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F4360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F9990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F21D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670EF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F91F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F89F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670FB250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DD890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C8B1
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670D08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713C0EB
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670C18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670DE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670CB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670F6130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC670E4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67126950
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740782908
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8D520
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55CD0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C87650
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7DDC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55020
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C697D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C73150
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C47880
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6CA50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5AA70
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C559F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6A2C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5BAE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4D550
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43D50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C39D70
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50D10
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C51D30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C78D20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C33CD0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C53CF0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E494
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8A490
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4AC80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E48B
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4B6
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4AD
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E4A6
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C82CA0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E49D
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C70650
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38670
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C52E10
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43610
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C21620
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2DE20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C525C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C395C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C365E0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C590
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2C5A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C42F50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C80770
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E770
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9BF6F
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C85760
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C80F30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4872B
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C87EC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C26E90
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C27E80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4F6B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8A6B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C506A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C45050
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C75840
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5F870
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C6F870
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C21010
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C44800
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4C030
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50020
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74CA0820
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3A7D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38FC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C94FF0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C46FE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C26790
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8C780
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9EF80
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4E7B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9B7A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C86950
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C44140
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8B960
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E110
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43910
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2B100
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C56130
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C218D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C0EB
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3D890
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C308B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9C8B1
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5B250
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C27A40
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8B260
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C521D0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C469C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4F1F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C591F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C589F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C59990
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C22980
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C3E9B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C411B0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4E9A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C85B50
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C25350
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C43340
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C38340
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C54360
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4A310
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C50300
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C51B30
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C2BB20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C492C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C722C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7F2C0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C87AF0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C482E0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C82AE0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C4DAA0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C882A0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8AAA0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C37410
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C89410
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8E400
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9FC00
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C25C20
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C35420
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C74BC0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C323F0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C84390
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310BC70
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F3C38
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130FA064
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130FF460
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130EAC8C
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F8CC0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E5CB8
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E1914
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613102900
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613106740
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613100790
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613108BE0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310EFCC
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E7404
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613101000
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613104A44
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E4A44
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613103E80
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130EB2C0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310D6F0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F1B14
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E5330
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F3554
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E2950
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F7170
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF613105DC0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310C5F0
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310F224
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130FCE20
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E661C
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87139A0
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87135EC
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8718DF0
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B871CE08
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B871EAB4
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87212E0
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8704EC4
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8791690
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B870DA8C
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8706B94
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87177C0
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8705410
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8744320
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87184C0
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87164DC
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B871A858
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8718060
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CE2BD8
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CE03A0
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CE3718
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CD44E8
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CD3514
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CE0CA8
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CEC4D0
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CEB088
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CD3080
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CDA1A0
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CDA5C8
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CD8310
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CE4F10
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CD6218
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67107770 NtClose,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6712D520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740787394 new,NtQueryWnfStateData,RtlSubscribeWnfStateChangeNotification,GetLastError,RtlUnsubscribeWnfNotificationWaitForCompletion,SetLastError,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C8D520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C45F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C67770 NtClose,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5BAE0 NtReadVirtualMemory,
                      Source: eWlldJYfLc.dllBinary or memory string: OriginalFilenamedpnhupnp.dJ vs eWlldJYfLc.dll
                      Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Dxpserver.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mstsc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SndVol.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeSection loaded: kernel34.dll
                      Source: dwmapi.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: ACTIVEDS.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: MFPlat.DLL.4.drStatic PE information: Number of sections : 61 > 10
                      Source: Secur32.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: DUI70.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: UxTheme.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: XmlLite.dll0.4.drStatic PE information: Number of sections : 61 > 10
                      Source: eWlldJYfLc.dllStatic PE information: Number of sections : 60 > 10
                      Source: UxTheme.dll.4.drStatic PE information: Number of sections : 61 > 10
                      Source: eWlldJYfLc.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: dwmapi.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: MFPlat.DLL.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Secur32.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ACTIVEDS.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SppExtComObj.Exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: eWlldJYfLc.dllVirustotal: Detection: 67%
                      Source: eWlldJYfLc.dllMetadefender: Detection: 60%
                      Source: eWlldJYfLc.dllReversingLabs: Detection: 88%
                      Source: eWlldJYfLc.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mfpmp.exe C:\Windows\system32\mfpmp.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: Dxpserver.exe.4.drBinary string: FNULL%s\*.*...Device%s\%s%s%s\%s%s\Device\%s%s\Device
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDLL@46/19@0/0
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740783570 CoCreateInstance,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C5CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\{02c91c43-0eca-a572-1a91-4df7a7da9f72}
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\{25ac7a03-cb33-2ddf-542d-93d552beab0b}
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740784798 FindResourceExW,LoadResource,LockResource,
                      Source: eWlldJYfLc.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: eWlldJYfLc.dllStatic file information: File size 1368064 > 1048576
                      Source: eWlldJYfLc.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
                      Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
                      Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
                      Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
                      Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
                      Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
                      Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
                      Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
                      Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
                      Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
                      Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6713D500 push rax; iretd
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C9D500 push rax; iretd
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vxl
                      Source: eWlldJYfLc.dllStatic PE information: section name: .qwubgr
                      Source: eWlldJYfLc.dllStatic PE information: section name: .eer
                      Source: eWlldJYfLc.dllStatic PE information: section name: .xwwauf
                      Source: eWlldJYfLc.dllStatic PE information: section name: .pkc
                      Source: eWlldJYfLc.dllStatic PE information: section name: .npkda
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vhs
                      Source: eWlldJYfLc.dllStatic PE information: section name: .iaywj
                      Source: eWlldJYfLc.dllStatic PE information: section name: .nasi
                      Source: eWlldJYfLc.dllStatic PE information: section name: .zhvprh
                      Source: eWlldJYfLc.dllStatic PE information: section name: .yatdsp
                      Source: eWlldJYfLc.dllStatic PE information: section name: .njso
                      Source: eWlldJYfLc.dllStatic PE information: section name: .lgliat
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ntqjh
                      Source: eWlldJYfLc.dllStatic PE information: section name: .sucsek
                      Source: eWlldJYfLc.dllStatic PE information: section name: .qsxjui
                      Source: eWlldJYfLc.dllStatic PE information: section name: .twctcm
                      Source: eWlldJYfLc.dllStatic PE information: section name: .nms
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ogj
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vrkgb
                      Source: eWlldJYfLc.dllStatic PE information: section name: .gikfw
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ktl
                      Source: eWlldJYfLc.dllStatic PE information: section name: .crcn
                      Source: eWlldJYfLc.dllStatic PE information: section name: .wtfr
                      Source: eWlldJYfLc.dllStatic PE information: section name: .hep
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ywg
                      Source: eWlldJYfLc.dllStatic PE information: section name: .sqsp
                      Source: eWlldJYfLc.dllStatic PE information: section name: .gzb
                      Source: eWlldJYfLc.dllStatic PE information: section name: .fatlss
                      Source: eWlldJYfLc.dllStatic PE information: section name: .plqa
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vzt
                      Source: eWlldJYfLc.dllStatic PE information: section name: .dsbyd
                      Source: eWlldJYfLc.dllStatic PE information: section name: .cdelc
                      Source: eWlldJYfLc.dllStatic PE information: section name: .qkhkj
                      Source: eWlldJYfLc.dllStatic PE information: section name: .mnzegr
                      Source: eWlldJYfLc.dllStatic PE information: section name: .krw
                      Source: eWlldJYfLc.dllStatic PE information: section name: .jvsmn
                      Source: eWlldJYfLc.dllStatic PE information: section name: .bygpq
                      Source: eWlldJYfLc.dllStatic PE information: section name: .kzdbu
                      Source: eWlldJYfLc.dllStatic PE information: section name: .mwxorn
                      Source: eWlldJYfLc.dllStatic PE information: section name: .raf
                      Source: eWlldJYfLc.dllStatic PE information: section name: .zcyw
                      Source: eWlldJYfLc.dllStatic PE information: section name: .zeczh
                      Source: eWlldJYfLc.dllStatic PE information: section name: .pvv
                      Source: eWlldJYfLc.dllStatic PE information: section name: .lug
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ski
                      Source: eWlldJYfLc.dllStatic PE information: section name: .japjd
                      Source: eWlldJYfLc.dllStatic PE information: section name: .mwtzml
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vgssf
                      Source: eWlldJYfLc.dllStatic PE information: section name: .gsroye
                      Source: eWlldJYfLc.dllStatic PE information: section name: .vcmr
                      Source: eWlldJYfLc.dllStatic PE information: section name: .ufki
                      Source: eWlldJYfLc.dllStatic PE information: section name: .btl
                      Source: eWlldJYfLc.dllStatic PE information: section name: .pmeh
                      Source: mfpmp.exe.4.drStatic PE information: section name: .didat
                      Source: mstsc.exe.4.drStatic PE information: section name: .didat
                      Source: SndVol.exe.4.drStatic PE information: section name: .imrsiv
                      Source: SndVol.exe.4.drStatic PE information: section name: .didat
                      Source: DeviceEnroller.exe.4.drStatic PE information: section name: .didat
                      Source: CameraSettingsUIHost.exe.4.drStatic PE information: section name: .imrsiv
                      Source: CloudNotifications.exe.4.drStatic PE information: section name: .imrsiv
                      Source: CloudNotifications.exe.4.drStatic PE information: section name: .didat
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vxl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qwubgr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .eer
                      Source: dwmapi.dll.4.drStatic PE information: section name: .xwwauf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pkc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .npkda
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vhs
                      Source: dwmapi.dll.4.drStatic PE information: section name: .iaywj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nasi
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zhvprh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .yatdsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .njso
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lgliat
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ntqjh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sucsek
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qsxjui
                      Source: dwmapi.dll.4.drStatic PE information: section name: .twctcm
                      Source: dwmapi.dll.4.drStatic PE information: section name: .nms
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ogj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vrkgb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gikfw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ktl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .crcn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .wtfr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .hep
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ywg
                      Source: dwmapi.dll.4.drStatic PE information: section name: .sqsp
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gzb
                      Source: dwmapi.dll.4.drStatic PE information: section name: .fatlss
                      Source: dwmapi.dll.4.drStatic PE information: section name: .plqa
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vzt
                      Source: dwmapi.dll.4.drStatic PE information: section name: .dsbyd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .cdelc
                      Source: dwmapi.dll.4.drStatic PE information: section name: .qkhkj
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mnzegr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .krw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .jvsmn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .bygpq
                      Source: dwmapi.dll.4.drStatic PE information: section name: .kzdbu
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwxorn
                      Source: dwmapi.dll.4.drStatic PE information: section name: .raf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zcyw
                      Source: dwmapi.dll.4.drStatic PE information: section name: .zeczh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pvv
                      Source: dwmapi.dll.4.drStatic PE information: section name: .lug
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ski
                      Source: dwmapi.dll.4.drStatic PE information: section name: .japjd
                      Source: dwmapi.dll.4.drStatic PE information: section name: .mwtzml
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vgssf
                      Source: dwmapi.dll.4.drStatic PE information: section name: .gsroye
                      Source: dwmapi.dll.4.drStatic PE information: section name: .vcmr
                      Source: dwmapi.dll.4.drStatic PE information: section name: .ufki
                      Source: dwmapi.dll.4.drStatic PE information: section name: .btl
                      Source: dwmapi.dll.4.drStatic PE information: section name: .pmeh
                      Source: dwmapi.dll.4.drStatic PE information: section name: .bfwtl
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vxl
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .qwubgr
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .eer
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .xwwauf
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .pkc
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .npkda
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vhs
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .iaywj
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .nasi
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .zhvprh
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .yatdsp
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .njso
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .lgliat
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ntqjh
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .sucsek
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .qsxjui
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .twctcm
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .nms
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ogj
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vrkgb
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .gikfw
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ktl
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .crcn
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .wtfr
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .hep
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ywg
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .sqsp
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .gzb
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .fatlss
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .plqa
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vzt
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .dsbyd
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .cdelc
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .qkhkj
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .mnzegr
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .krw
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .jvsmn
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .bygpq
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .kzdbu
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .mwxorn
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .raf
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .zcyw
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .zeczh
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .pvv
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .lug
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ski
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .japjd
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .mwtzml
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vgssf
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .gsroye
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .vcmr
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .ufki
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .btl
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .pmeh
                      Source: MFPlat.DLL.4.drStatic PE information: section name: .mivbr
                      Source: Secur32.dll.4.drStatic PE information: section name: .vxl
                      Source: Secur32.dll.4.drStatic PE information: section name: .qwubgr
                      Source: Secur32.dll.4.drStatic PE information: section name: .eer
                      Source: Secur32.dll.4.drStatic PE information: section name: .xwwauf
                      Source: Secur32.dll.4.drStatic PE information: section name: .pkc
                      Source: Secur32.dll.4.drStatic PE information: section name: .npkda
                      Source: Secur32.dll.4.drStatic PE information: section name: .vhs
                      Source: Secur32.dll.4.drStatic PE information: section name: .iaywj
                      Source: Secur32.dll.4.drStatic PE information: section name: .nasi
                      Source: Secur32.dll.4.drStatic PE information: section name: .zhvprh
                      Source: Secur32.dll.4.drStatic PE information: section name: .yatdsp
                      Source: Secur32.dll.4.drStatic PE information: section name: .njso
                      Source: Secur32.dll.4.drStatic PE information: section name: .lgliat
                      Source: Secur32.dll.4.drStatic PE information: section name: .ntqjh
                      Source: Secur32.dll.4.drStatic PE information: section name: .sucsek
                      Source: Secur32.dll.4.drStatic PE information: section name: .qsxjui
                      Source: Secur32.dll.4.drStatic PE information: section name: .twctcm
                      Source: Secur32.dll.4.drStatic PE information: section name: .nms
                      Source: Secur32.dll.4.drStatic PE information: section name: .ogj
                      Source: Secur32.dll.4.drStatic PE information: section name: .vrkgb
                      Source: Secur32.dll.4.drStatic PE information: section name: .gikfw
                      Source: Secur32.dll.4.drStatic PE information: section name: .ktl
                      Source: Secur32.dll.4.drStatic PE information: section name: .crcn
                      Source: Secur32.dll.4.drStatic PE information: section name: .wtfr
                      Source: Secur32.dll.4.drStatic PE information: section name: .hep
                      Source: Secur32.dll.4.drStatic PE information: section name: .ywg
                      Source: Secur32.dll.4.drStatic PE information: section name: .sqsp
                      Source: Secur32.dll.4.drStatic PE information: section name: .gzb
                      Source: Secur32.dll.4.drStatic PE information: section name: .fatlss
                      Source: Secur32.dll.4.drStatic PE information: section name: .plqa
                      Source: Secur32.dll.4.drStatic PE information: section name: .vzt
                      Source: Secur32.dll.4.drStatic PE information: section name: .dsbyd
                      Source: Secur32.dll.4.drStatic PE information: section name: .cdelc
                      Source: Secur32.dll.4.drStatic PE information: section name: .qkhkj
                      Source: Secur32.dll.4.drStatic PE information: section name: .mnzegr
                      Source: Secur32.dll.4.drStatic PE information: section name: .krw
                      Source: Secur32.dll.4.drStatic PE information: section name: .jvsmn
                      Source: Secur32.dll.4.drStatic PE information: section name: .bygpq
                      Source: Secur32.dll.4.drStatic PE information: section name: .kzdbu
                      Source: Secur32.dll.4.drStatic PE information: section name: .mwxorn
                      Source: Secur32.dll.4.drStatic PE information: section name: .raf
                      Source: Secur32.dll.4.drStatic PE information: section name: .zcyw
                      Source: Secur32.dll.4.drStatic PE information: section name: .zeczh
                      Source: Secur32.dll.4.drStatic PE information: section name: .pvv
                      Source: Secur32.dll.4.drStatic PE information: section name: .lug
                      Source: Secur32.dll.4.drStatic PE information: section name: .ski
                      Source: Secur32.dll.4.drStatic PE information: section name: .japjd
                      Source: Secur32.dll.4.drStatic PE information: section name: .mwtzml
                      Source: Secur32.dll.4.drStatic PE information: section name: .vgssf
                      Source: Secur32.dll.4.drStatic PE information: section name: .gsroye
                      Source: Secur32.dll.4.drStatic PE information: section name: .vcmr
                      Source: Secur32.dll.4.drStatic PE information: section name: .ufki
                      Source: Secur32.dll.4.drStatic PE information: section name: .btl
                      Source: Secur32.dll.4.drStatic PE information: section name: .pmeh
                      Source: Secur32.dll.4.drStatic PE information: section name: .uuuuw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vxl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qwubgr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .eer
                      Source: UxTheme.dll.4.drStatic PE information: section name: .xwwauf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pkc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .npkda
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vhs
                      Source: UxTheme.dll.4.drStatic PE information: section name: .iaywj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nasi
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zhvprh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .yatdsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .njso
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lgliat
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ntqjh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sucsek
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qsxjui
                      Source: UxTheme.dll.4.drStatic PE information: section name: .twctcm
                      Source: UxTheme.dll.4.drStatic PE information: section name: .nms
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ogj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vrkgb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gikfw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ktl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .crcn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .wtfr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .hep
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ywg
                      Source: UxTheme.dll.4.drStatic PE information: section name: .sqsp
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gzb
                      Source: UxTheme.dll.4.drStatic PE information: section name: .fatlss
                      Source: UxTheme.dll.4.drStatic PE information: section name: .plqa
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vzt
                      Source: UxTheme.dll.4.drStatic PE information: section name: .dsbyd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .cdelc
                      Source: UxTheme.dll.4.drStatic PE information: section name: .qkhkj
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mnzegr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .krw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .jvsmn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .bygpq
                      Source: UxTheme.dll.4.drStatic PE information: section name: .kzdbu
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwxorn
                      Source: UxTheme.dll.4.drStatic PE information: section name: .raf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zcyw
                      Source: UxTheme.dll.4.drStatic PE information: section name: .zeczh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pvv
                      Source: UxTheme.dll.4.drStatic PE information: section name: .lug
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ski
                      Source: UxTheme.dll.4.drStatic PE information: section name: .japjd
                      Source: UxTheme.dll.4.drStatic PE information: section name: .mwtzml
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vgssf
                      Source: UxTheme.dll.4.drStatic PE information: section name: .gsroye
                      Source: UxTheme.dll.4.drStatic PE information: section name: .vcmr
                      Source: UxTheme.dll.4.drStatic PE information: section name: .ufki
                      Source: UxTheme.dll.4.drStatic PE information: section name: .btl
                      Source: UxTheme.dll.4.drStatic PE information: section name: .pmeh
                      Source: UxTheme.dll.4.drStatic PE information: section name: .leg
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .eer
                      Source: XmlLite.dll.4.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll.4.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .njso
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll.4.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll.4.drStatic PE information: section name: .nms
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .hep
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll.4.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll.4.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll.4.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll.4.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .krw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll.4.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll.4.drStatic PE information: section name: .raf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll.4.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll.4.drStatic PE information: section name: .lug
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ski
                      Source: XmlLite.dll.4.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll.4.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll.4.drStatic PE information: section name: .gsroye
                      Source: XmlLite.dll.4.drStatic PE information: section name: .vcmr
                      Source: XmlLite.dll.4.drStatic PE information: section name: .ufki
                      Source: XmlLite.dll.4.drStatic PE information: section name: .btl
                      Source: XmlLite.dll.4.drStatic PE information: section name: .pmeh
                      Source: XmlLite.dll.4.drStatic PE information: section name: .sfgb
                      Source: DUI70.dll.4.drStatic PE information: section name: .vxl
                      Source: DUI70.dll.4.drStatic PE information: section name: .qwubgr
                      Source: DUI70.dll.4.drStatic PE information: section name: .eer
                      Source: DUI70.dll.4.drStatic PE information: section name: .xwwauf
                      Source: DUI70.dll.4.drStatic PE information: section name: .pkc
                      Source: DUI70.dll.4.drStatic PE information: section name: .npkda
                      Source: DUI70.dll.4.drStatic PE information: section name: .vhs
                      Source: DUI70.dll.4.drStatic PE information: section name: .iaywj
                      Source: DUI70.dll.4.drStatic PE information: section name: .nasi
                      Source: DUI70.dll.4.drStatic PE information: section name: .zhvprh
                      Source: DUI70.dll.4.drStatic PE information: section name: .yatdsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .njso
                      Source: DUI70.dll.4.drStatic PE information: section name: .lgliat
                      Source: DUI70.dll.4.drStatic PE information: section name: .ntqjh
                      Source: DUI70.dll.4.drStatic PE information: section name: .sucsek
                      Source: DUI70.dll.4.drStatic PE information: section name: .qsxjui
                      Source: DUI70.dll.4.drStatic PE information: section name: .twctcm
                      Source: DUI70.dll.4.drStatic PE information: section name: .nms
                      Source: DUI70.dll.4.drStatic PE information: section name: .ogj
                      Source: DUI70.dll.4.drStatic PE information: section name: .vrkgb
                      Source: DUI70.dll.4.drStatic PE information: section name: .gikfw
                      Source: DUI70.dll.4.drStatic PE information: section name: .ktl
                      Source: DUI70.dll.4.drStatic PE information: section name: .crcn
                      Source: DUI70.dll.4.drStatic PE information: section name: .wtfr
                      Source: DUI70.dll.4.drStatic PE information: section name: .hep
                      Source: DUI70.dll.4.drStatic PE information: section name: .ywg
                      Source: DUI70.dll.4.drStatic PE information: section name: .sqsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .gzb
                      Source: DUI70.dll.4.drStatic PE information: section name: .fatlss
                      Source: DUI70.dll.4.drStatic PE information: section name: .plqa
                      Source: DUI70.dll.4.drStatic PE information: section name: .vzt
                      Source: DUI70.dll.4.drStatic PE information: section name: .dsbyd
                      Source: DUI70.dll.4.drStatic PE information: section name: .cdelc
                      Source: DUI70.dll.4.drStatic PE information: section name: .qkhkj
                      Source: DUI70.dll.4.drStatic PE information: section name: .mnzegr
                      Source: DUI70.dll.4.drStatic PE information: section name: .krw
                      Source: DUI70.dll.4.drStatic PE information: section name: .jvsmn
                      Source: DUI70.dll.4.drStatic PE information: section name: .bygpq
                      Source: DUI70.dll.4.drStatic PE information: section name: .kzdbu
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwxorn
                      Source: DUI70.dll.4.drStatic PE information: section name: .raf
                      Source: DUI70.dll.4.drStatic PE information: section name: .zcyw
                      Source: DUI70.dll.4.drStatic PE information: section name: .zeczh
                      Source: DUI70.dll.4.drStatic PE information: section name: .pvv
                      Source: DUI70.dll.4.drStatic PE information: section name: .lug
                      Source: DUI70.dll.4.drStatic PE information: section name: .ski
                      Source: DUI70.dll.4.drStatic PE information: section name: .japjd
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwtzml
                      Source: DUI70.dll.4.drStatic PE information: section name: .vgssf
                      Source: DUI70.dll.4.drStatic PE information: section name: .gsroye
                      Source: DUI70.dll.4.drStatic PE information: section name: .vcmr
                      Source: DUI70.dll.4.drStatic PE information: section name: .ufki
                      Source: DUI70.dll.4.drStatic PE information: section name: .btl
                      Source: DUI70.dll.4.drStatic PE information: section name: .pmeh
                      Source: DUI70.dll.4.drStatic PE information: section name: .mquhr
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vxl
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qwubgr
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .eer
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .xwwauf
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .pkc
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .npkda
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vhs
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .iaywj
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .nasi
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .zhvprh
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .yatdsp
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .njso
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .lgliat
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ntqjh
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .sucsek
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qsxjui
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .twctcm
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .nms
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ogj
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vrkgb
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .gikfw
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ktl
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .crcn
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .wtfr
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .hep
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ywg
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .sqsp
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .gzb
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .fatlss
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .plqa
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vzt
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .dsbyd
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .cdelc
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .qkhkj
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .mnzegr
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .krw
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .jvsmn
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .bygpq
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .kzdbu
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .mwxorn
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .raf
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .zcyw
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .zeczh
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .pvv
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .lug
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ski
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .japjd
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .mwtzml
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vgssf
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .gsroye
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .vcmr
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .ufki
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .btl
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .pmeh
                      Source: ACTIVEDS.dll.4.drStatic PE information: section name: .nfr
                      Source: SppExtComObj.Exe.4.drStatic PE information: section name: ?g_Encry
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .eer
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .njso
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .nms
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .hep
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .krw
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .raf
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .lug
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ski
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .gsroye
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .vcmr
                      Source: XmlLite.dll0.4.drStatic PE information: section name: .ufki
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,
                      Source: Dxpserver.exe.4.drStatic PE information: 0xABA47AA2 [Sat Apr 2 16:00:34 2061 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.59477523886
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n0R5g\Secur32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n0R5g\mstsc.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\aJcBg\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.ExeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\R7Mg9\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLLJump to dropped file
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130F3080 WinSqmSetString,IsIconic,ShowWindow,GetSystemMenu,CheckMenuItem,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87139A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B870F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B878C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B870CE48 IsIconic,GetWindowPlacement,GetLastError,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8709A6C IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B870CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8711B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8712F5C IsWindowVisible,IsIconic,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B87104F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8712884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exe TID: 5344Thread sleep count: 63 > 30
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.ExeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dllJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exeJump to dropped file
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeAPI coverage: 0.3 %
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeAPI coverage: 0.4 %
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeAPI coverage: 0.3 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711DDC0 GetSystemInfo,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6711ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FFC74C7ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,
                      Source: explorer.exe, 00000004.00000000.304934300.000000000832A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
                      Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
                      Source: explorer.exe, 00000004.00000000.280980769.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
                      Source: explorer.exe, 00000004.00000000.340794911.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
                      Source: explorer.exe, 00000004.00000000.267951079.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.263815655.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                      Source: explorer.exe, 00000004.00000000.303880362.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
                      Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740781828 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF7407859A4 TlsGetValue,GetProcessHeap,HeapFree,TlsSetValue,AcquireSRWLockExclusive,TlsFree,ReleaseSRWLockExclusive,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740788410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF7407886F0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF61310FCB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exeCode function: 26_2_00007FF6131100E0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeCode function: 29_2_00007FF670A429F0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeCode function: 29_2_00007FF670A42D14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B8822264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CEF2E0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CEEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: dwmapi.dll.4.drJump to dropped file
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
                      Contains functionality to automate explorer (e.g. start an application)
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,
                      Contains functionality to prevent local Windows debugging
                      Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeCode function: 29_2_00007FF670A45730 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,
                      Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exeCode function: 29_2_00007FF670A454A0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,
                      Uses Atom Bombing / ProGate to inject into other processes
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                      Source: explorer.exe, 00000004.00000000.280992287.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.311718742.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.262606736.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
                      Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271301902.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.drBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000004.00000000.311774801.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.281130871.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341049556.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
                      Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
                      Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exeCode function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exeCode function: 20_2_00007FF740783614 RegGetValueW,RegGetValueW,GetSystemTimeAsFileTime,TranslateMessage,DispatchMessageW,GetMessageW,
                      Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exeCode function: 33_2_00007FF7B881F5EC memset,GetVersionExW,GetVersionExW,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC67109400 GetUserNameW,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Exploitation for Client Execution                      		Boot or Logon Initialization Scripts412
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory21
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)1
                      DLL Side-Loading                      		412
                      Process Injection                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                      Obfuscated Files or Information                      		NTDS3
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Rundll32                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Software Packing                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Timestomp                      		DCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc Filesystem1
                      File and Directory Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow25
                      System Information Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 595308 Sample: eWlldJYfLc Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 58 Changes memory attributes in foreign processes to executable or writable 10->58 60 Uses Atom Bombing / ProGate to inject into other processes 10->60 62 Queues an APC in another process (thread injection) 10->62 19 explorer.exe 3 58 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\ACTIVEDS.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\bj1HT\mfpmp.exe, PE32+ 19->38 dropped 40 15 other files (6 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 52 Accesses ntoskrnl, likely to find offsets for exploits 19->52 25 mfpmp.exe 19->25         started        28 SndVol.exe 19->28         started        30 Dxpserver.exe 19->30         started        32 11 other processes 19->32 signatures8 process9 signatures10 54 Contains functionality to prevent local Windows debugging 25->54 56 Contains functionality to automate explorer (e.g. start an application) 28->56

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      eWlldJYfLc.dll67%VirustotalBrowse
                      eWlldJYfLc.dll60%MetadefenderBrowse
                      eWlldJYfLc.dll88%ReversingLabsWin64.Trojan.Occamy
                      eWlldJYfLc.dll100%AviraTR/Crypt.ZPACK.Gen
                      eWlldJYfLc.dll100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\n0R5g\Secur32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\n0R5g\Secur32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      33.2.mstsc.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.CloudNotifications.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      35.2.SndVol.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      33.2.mstsc.exe.15f26e10000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      29.2.mfpmp.exe.1cdaa1c0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      0.2.loaddll64.exe.16b476e0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      26.2.Dxpserver.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      26.2.Dxpserver.exe.19273270000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      29.2.mfpmp.exe.7ffc74c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.28586ab0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      20.2.CloudNotifications.exe.2953cdf0000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      8.2.rundll32.exe.2541e150000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      2.2.rundll32.exe.16bb42f0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.17f7c0b0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      0.2.loaddll64.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      35.2.SndVol.exe.1c1733a0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      3.2.rundll32.exe.7ffc670c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.mi0%URL Reputationsafe
                      https://login.windows.net-%s0%Avira URL Cloudsafe
                      http://schemas.micr0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.miexplorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://login.windows.net-%sDeviceEnroller.exe.4.drfalse
                        • Avira URL Cloud: safe
                        		low
                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/REST/v1/Transit/Stops/svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.micrexplorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dynamic.tsvchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high

                                                                                                World Map of Contacted IPs

                                                                                                No contacted IP infos

                                                                                                General Information

                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                Analysis ID:595308
                                                                                                Start date and time:2022-03-23 14:46:03 +01:00
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 15m 3s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:eWlldJYfLc (renamed file extension from none to dll)
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:41
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:1
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.expl.evad.winDLL@46/19@0/0
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 90%
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 29% (good quality ratio 17.8%)
                                                                                                • Quality average: 41%
                                                                                                • Quality standard deviation: 39%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 98%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Override analysis time to 240s for rundll32

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                                                                                • Execution Graph export aborted for target mfpmp.exe, PID 3464 because there are no executed function
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                No simulations

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                No context

                                                                                                Domains

                                                                                                No context

                                                                                                ASNs

                                                                                                No context

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):304640
                                                                                                Entropy (8bit):5.920357039114308
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
                                                                                                MD5:DCCB1D350193BE0A26CEAFF602DB848E
                                                                                                SHA1:02673E7070A589B5BF6F217558A06067B388A350
                                                                                                SHA-256:367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
                                                                                                SHA-512:ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....|.N...L.|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.073965259759853
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
                                                                                                MD5:76657995BEE544EFB7B57F3ADE10CACC
                                                                                                SHA1:AFD9BC6AAEF6E67ABEB32C4111B61F39412D8DCA
                                                                                                SHA-256:E4FAF63C9DF8C711816BDD85DED07539FC7F425EFFBAFDDB680EFE01E45DCD26
                                                                                                SHA-512:BEF755E7AE0D4C82D7F0A86A881FBDAFC565C990C821EBA88B1D5C208B1A94097E3BC74A9AFA58B11146658CC68CECE1F615E28FC891852FB99FA4D703829670
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................&...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32104
                                                                                                Entropy (8bit):6.224595599643794
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
                                                                                                MD5:34F32BC06CDC7AF56607D351B155140D
                                                                                                SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
                                                                                                SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
                                                                                                SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1654784
                                                                                                Entropy (8bit):5.506546408859127
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:tZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwmsNRt:tZK6F7n5eRmDFJivohZFVmu
                                                                                                MD5:72722E89BA0B4F6CAD054811AB8BB33C
                                                                                                SHA1:84099E5B7CF14C99D301AADAD9934E8981C019EB
                                                                                                SHA-256:27DBA4A57AD9F0CA7678B55C851F17E1A2CAE742FCFD041D8503080831E93520
                                                                                                SHA-512:08CF3ABE10557F284B0427849A4CEF2F111E67E6371F79C3B477F659CC36B438E6C9E541C2DD10C290C6A43E963EBE1B4A7BEF89910C7C98A6099E6E04F8A9BC
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@.............................@............`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):259904
                                                                                                Entropy (8bit):5.955701055747905
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
                                                                                                MD5:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                                                SHA1:128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
                                                                                                SHA-256:D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
                                                                                                SHA-512:A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.07954324475136
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:2ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:2ZK6F7n5eRmDFJivohZFV
                                                                                                MD5:AA4563F3E285E21921818923EEC1AB27
                                                                                                SHA1:F36D24960356D6CCB49EF189025B9366324851D9
                                                                                                SHA-256:33736F3A5EB68B07C19FDA12C97A3A17120719FA53FFF3B74EB4B5BCA81ED86E
                                                                                                SHA-512:26BBE92AF58E8B574BA3C4673938F48BF12AFA872FDE65BC3E4A48C590C20BD03B9F1DA460E9F5EB8D5410272E0741D8C4EC3B068CFA4D78595E0A8042E5E488
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.066544233417286
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
                                                                                                MD5:CFC069A16E13B366B0F56BD27F5BC600
                                                                                                SHA1:CD6DF254F7B0550B0CC2524F4592571C9EC3F7B1
                                                                                                SHA-256:1A044F24CC8B8D583E66F577C90C92FF15FF4F3D1FE8096A38B5032C1F8B8D6B
                                                                                                SHA-512:55F44E15EB12F94804DFE947774B2078DCCD13E0A98EEB9963F90BC0289BD7345F90063DCD29530D161C0B411623C411613FAA6323C53F1C5C7595D19004C117
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):37888
                                                                                                Entropy (8bit):5.0324146638870335
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
                                                                                                MD5:3CE911D7C12A2EFA9108514013BD17FE
                                                                                                SHA1:2F739BD7731932A0BF13A3B8526FC867EC41C63E
                                                                                                SHA-256:FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
                                                                                                SHA-512:33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):77072
                                                                                                Entropy (8bit):6.115516882753233
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:PBw6bK5qGy2vbnG4bhimIHw28N6GgIpdNtgdNttP+O1K9dr3uhyZb3NnPg5:FbK522vDfnp28a+O1AdCoZxno5
                                                                                                MD5:D9FF4C8DBC1682E0508322307CB89C0F
                                                                                                SHA1:52FF480ABF6A6CE9BC32BD3B467C028C35849C6F
                                                                                                SHA-256:E99A6238FDF53700DE8588E1C1128D52680C1DCAAD4E32B38EF2170395495D29
                                                                                                SHA-512:C068F98855514994AA7CD66ED02E3FD05B7E81EAD714F83CC158B65AAC6DE12A1D324375C41FEC5C1B6A3F1D6D8639EBFF71D510A720148A33E645ED066DAF2C
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................=.....................................e............Q............Rich....................PE..d................."............................@.............................p.......*............... ......................................p........@.. .... ..L........%...`......P...T............................................... .......`....................text.............................. ..`.imrsiv..................................rdata...W.......X..................@..@.data...x...........................@....pdata..L.... ......................@..@.didat.......0......................@....rsrc... ....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\R7Mg9\UxTheme.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.079630029271723
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:qZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:qZK6F7n5eRmDFJivohZFV
                                                                                                MD5:EEEA0804F1E5EB7827FD942423AC682D
                                                                                                SHA1:09CD42B0D6B83B896B61016364BCAE0FDB729FA2
                                                                                                SHA-256:EC50BADCD4F4E021A341A08A03FA8A72D4496A5B71BA1BBF6C4F49F79EA61F45
                                                                                                SHA-512:0C58E87B0716CBB5A0D7DE3A0463C4AF9E09C28EE99543F5A4130A7658B2BB8EB8A88F5BEE0B6877DC9224B6AA0988850C83BF5EB48CB4A22FBEEEF79EBBEE6C
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):359936
                                                                                                Entropy (8bit):6.00535524532166
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:NXYgu80D0GEiHJb3r/mrKqfNF3Ne8xQOQ2UyQPyHS:Nok0DTHJrr/MKqfNPRyyQI
                                                                                                MD5:53688BC273A0CB9FD174F809FB56F866
                                                                                                SHA1:F69901D480530661A3342E567C2F789D3361851D
                                                                                                SHA-256:D39F1DE499FFD7D8E12ADEA0979AA70FB291C8BD9061019AA0045A247A4B948B
                                                                                                SHA-512:2233B66D79042C2C1F8B10228FAEE3698FA2C54396B0331F7352DC087F23493BDEB89CECD7E23A1B2CFBD124D9ADB483413DC55DDA813C4F49B18120A702AE15
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(...l...l...l...e.2.0.....o.....t...l...............a.....G.....^.m.....m...Richl...................PE..d......{.........."......|..........0N.........@..........................................`.......... ..................................................pE...@...$..............h....#..T...................0...(...0...............X...(....... ....................text....{.......|.................. ..`.rdata..............................@..@.data........ ......................@....pdata...$...@...&..................@..@.didat.......p.......0..............@....rsrc...pE.......F...2..............@..@.reloc..h............x..............@..B........................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\aJcBg\XmlLite.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.0665476710905875
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:qZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:qZK6F7n5eRmDFJivohZFV
                                                                                                MD5:5A3E479CD2E6CE8BFB95EB1B9473DF7C
                                                                                                SHA1:E006DC68DA1C26A263DA0FF6D1B3B6E5E8E5A657
                                                                                                SHA-256:0D7E29272223CE36DAA5CAA7DCDADBAED9CE393E26FF9A8C7BE5382A072B7EDF
                                                                                                SHA-512:932974FAD53CD8F754758A2F6712140217369C207CEEDB00A7A34A606C43095DCB4C979151077BBE39C9EF4390E9F1FEB926CEFCDA7D765860B1FB0A3BC8D524
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1376256
                                                                                                Entropy (8bit):5.093356085119384
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:3ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:3ZK6F7n5eRmDFJivohZFV
                                                                                                MD5:094F25E8EE0B130D03AE8565EC8BF099
                                                                                                SHA1:5988CCA553B95A1D599AF1409602270FC2E97713
                                                                                                SHA-256:B738ACDF220BAB43ED0EF6E0ABBBEDF3037FA9B654626C526393ECADB11D756B
                                                                                                SHA-512:485AF608EE610ECDC4AE8471415EEBBA38A47A1312CDBE8A5B9E3E5DC6D40707570D37C819B572E25F59199ED645D75B973BA042C049302AF39BF77CBB2B808D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\bj1HT\mfpmp.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):49688
                                                                                                Entropy (8bit):6.083384253651048
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:vcqpeHOwVxW4zmjjJF686T/5Lel2fBetjEWI9Whu3H1PcSP:vcEoVxJodg/tfiEAhu3VPcSP
                                                                                                MD5:7C3D09D6DB5DB4A272FCF4C1BB3986BD
                                                                                                SHA1:F0C392891B6D73EADB20F669A29064910507E55E
                                                                                                SHA-256:E459FF6CBA8C93589B206C07BDCCD2E6C57766BE6BB4754F2FB1DEF9EF2E3BDE
                                                                                                SHA-512:6CFE325CD0A78D6ACC9473BA51069E234CB0F9A47F285A6204EE787902C77005491B41C301DD38602CC387329F214E700F9203E4ECE5077E58D30276821640E4
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0._.Q`..Q`..Q`..)...Q`..5c..Q`..5d..Q`..Qa..Q`..5a..Q`..5e..Q`..5n..Q`..5...Q`..5b..Q`.Rich.Q`.................PE..d...^.A..........."......R...V......P).........@....................................s.....`.......... ......................................h...........`................$..........`z..T...........................Pq..............`r......H...`....................text....Q.......R.................. ..`.rdata..T-...p.......V..............@..@.data...............................@....pdata..............................@..@.didat..0...........................@....rsrc...`...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\n0R5g\Secur32.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.0819568503752945
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:7ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:7ZK6F7n5eRmDFJivohZFV
                                                                                                MD5:A9D03770C3381277E769A3A10F4FA7BA
                                                                                                SHA1:A9968FB16A693C97870A01AC3F6448B4029B02EB
                                                                                                SHA-256:4D5CEA934217B0CAD20DE8A5D5A7E7E9E09FBBC46025CB9CED2857964CF0D72F
                                                                                                SHA-512:7A1AF1FF937D496AA040195A998320FF4F9240CA0D7B223EBDAC29E02ADFA6A91EE010A1AE287F7AC9111B0BBB965898EFEF9373F805FD1335D5F254809E6EEC
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................#...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\n0R5g\mstsc.exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):3640832
                                                                                                Entropy (8bit):5.884402821447862
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
                                                                                                MD5:3FBB5CD8829E9533D0FF5819DB0444C0
                                                                                                SHA1:A4A6E4E50421E57EA4745BA44568B107A9369447
                                                                                                SHA-256:043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
                                                                                                SHA-512:349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. *..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. *....7..,...b7.............@..B........................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1372160
                                                                                                Entropy (8bit):5.069365048727469
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:QZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:QZK6F7n5eRmDFJivohZFV
                                                                                                MD5:7030AA0D1AD9097FBA4716E8769ADF1C
                                                                                                SHA1:238ADB06CB99D070EC79034110FB65D5E854859E
                                                                                                SHA-256:A847A1B3D028F0F305E1EA8B62B07690DEC695682DA8C5015CE9AB6F9EF69ABC
                                                                                                SHA-512:2919F2D46B8364A8F05D7E46F2356AE6174821CD9A3658EB27A4A8F4C0FC5CDEDD87CD26EEE3DA281E8F5F3D9AF04192E443BC94F910A188F8B6369802BC877E
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................y...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                                                                                                C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):577024
                                                                                                Entropy (8bit):7.365924302927238
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
                                                                                                MD5:809E11DECADAEBE2454EFEDD620C4769
                                                                                                SHA1:A121B9FC2010247C65CE8975FE4D88F5E9AC953E
                                                                                                SHA-256:8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
                                                                                                SHA-512:F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
                                                                                                Malicious:false
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1450
                                                                                                Entropy (8bit):7.341856001318595
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:Uk1KaW6dGUcke/TZTy9huyg1FxVOJ8Mk20PrbBuN1rhbzQcR8Yw76s80c+:UwKZBUckerYh/g19u8F2Ub8N1NXQcGYO
                                                                                                MD5:464F2980E43A11D0B043075EFE6C5BF4
                                                                                                SHA1:41A667A8B3E476E64CB9C026908057E9FD420507
                                                                                                SHA-256:EF19B78322AB9FF8DF1F08E2936B698BD7A57E490EA7E40E675421D60344EDF6
                                                                                                SHA-512:162D82A7F9C8B2F152331CDA46B34A428B329F506FE854B6203653F99A0E1125D664ADE6C08E878216C9E957606314323251B6B7ED3ABC82884E243F7E094A5F
                                                                                                Malicious:false
                                                                                                Preview:........................................user.....................RSA1................a>.(.p_{..E..%......Lr...z...$f....y7)b<.. ...b...............0........s..`).F.g.t......o<..j.n..X.R...XqM....\....~?.,......................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....u/..0.Y..U;...{5}.y..9MFX..l.............. ....G`.....hj.Lwi........Zu2.\/.fI.............).z#..#....@.. U....j..{.C.Z.Ufd...mX.Q%..2.^7.J/.<.'0..m...:.m%.[g...D.Ky...y..0."...R.IB.X..H.W...T.+X..-).....*.4.......SY..7..Leb.^...6=.j......,.N.b_.5.eqA..%..Xp.........H{7..A..71.Pe.f.V%...O#.cR.......zC..t.X..~e2X..d....V<......H@.qE....r`...0..._....;.U....A..w.........^.lD.!Y...].....Fm;Nf]7.f....Dw{.jC...<... .;pC~.Ke'iL..p5...Z.b.n..Zz..J <<&d..$i.lf.......*{.9^.J.j{..+.....5.b.u.g. .w.{q.O........d....=T.....8P-.....\)$.1.......z....V.~*.].m`bV.g.!4....z.~GI...[3...V?#..;.bg.A...n.....*.$O..{+.o".bm!J.p..H..@..&wlT..Jn..1GAT......

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Entropy (8bit):5.088449668278153
                                                                                                TrID:
                                                                                                • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                • DOS Executable Generic (2002/1) 1.70%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                File name:eWlldJYfLc.dll
                                                                                                File size:1368064
                                                                                                MD5:d098d01cbea52f858bce6d0d9faa5b26
                                                                                                SHA1:952ce9cd899108c2821bf488b98387b6db8424b8
                                                                                                SHA256:82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
                                                                                                SHA512:ca6b21d580689b8e50b55277d9630e972da202270800c3820c060782f464115220674cfcf78fb3253c5d4607cebf23f087a5281a7a324f94aa75b97a8329f702
                                                                                                SSDEEP:12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
                                                                                                File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                                                                                                File Icon

                                                                                                Icon Hash:74f0e4ecccdce0e4

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x1400424b0
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x140000000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:5
                                                                                                OS Version Minor:0
                                                                                                File Version Major:5
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:5
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                dec eax
                                                                                                mov dword ptr [00070639h], ecx
                                                                                                dec eax
                                                                                                lea ecx, dword ptr [FFFFF2F2h]
                                                                                                dec esp
                                                                                                mov dword ptr [0007064Bh], eax
                                                                                                dec esp
                                                                                                mov dword ptr [00070654h], edi
                                                                                                dec esp
                                                                                                mov dword ptr [00070655h], esi
                                                                                                dec eax
                                                                                                xor eax, eax
                                                                                                dec eax
                                                                                                inc eax
                                                                                                dec eax
                                                                                                add ecx, eax
                                                                                                dec esp
                                                                                                mov dword ptr [00070655h], esp
                                                                                                dec eax
                                                                                                dec ecx
                                                                                                dec eax
                                                                                                mov dword ptr [00070653h], esi
                                                                                                dec eax
                                                                                                test eax, eax
                                                                                                je 00007F13CCA7C10Dh
                                                                                                dec eax
                                                                                                mov dword ptr [0007060Fh], esp
                                                                                                dec eax
                                                                                                mov dword ptr [00070600h], ebp
                                                                                                dec eax
                                                                                                mov dword ptr [00070649h], ebx
                                                                                                dec eax
                                                                                                mov dword ptr [0007063Ah], edi
                                                                                                dec eax
                                                                                                test eax, eax
                                                                                                je 00007F13CCA7C0ECh
                                                                                                dec esp
                                                                                                mov dword ptr [000705FEh], ecx
                                                                                                dec esp
                                                                                                mov dword ptr [0007060Fh], ebp
                                                                                                dec eax
                                                                                                mov dword ptr [000705D0h], edx
                                                                                                jmp ecx
                                                                                                dec eax
                                                                                                add edi, ecx
                                                                                                retn 0008h
                                                                                                ud2
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push esi
                                                                                                dec eax
                                                                                                sub esp, 00000080h
                                                                                                dec eax
                                                                                                mov dword ptr [esp+78h], 58225FC8h
                                                                                                mov dword ptr [esp+60h], 2DFAE652h
                                                                                                mov al, byte ptr [esp+77h]
                                                                                                mov dl, al
                                                                                                add dl, FFFFFF85h
                                                                                                mov byte ptr [esp+77h], dl
                                                                                                mov word ptr [esp+5Eh], 3327h
                                                                                                dec esp
                                                                                                mov eax, dword ptr [esp+78h]
                                                                                                inc esp
                                                                                                mov ecx, dword ptr [esp+64h]

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x14d0100x8ee.pmeh
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x430000x66f430x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .gsroye0x1480000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .vcmr0x14a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .ufki0x14b0000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .btl0x14c0000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .pmeh0x14d0000x8fe0x1000False0.25537109375data3.73292380196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                                                                                                RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                Imports

                                                                                                DLLImport
                                                                                                ADVAPI32.dllGetServiceDisplayNameW
                                                                                                KERNEL32.dllLoadLibraryA, HeapUnlock

                                                                                                Exports

                                                                                                NameOrdinalAddress
                                                                                                IsInteractiveUserSession10x14001b188
                                                                                                QueryActiveSession20x14002de80
                                                                                                QueryUserToken30x140021f90
                                                                                                RegisterUsertokenForNoWinlogon40x140037744
                                                                                                WTSCloseServer50x140001e84
                                                                                                WTSConnectSessionA60x1400128ec
                                                                                                WTSConnectSessionW70x14003b464
                                                                                                WTSCreateListenerA80x14003ca60
                                                                                                WTSCreateListenerW90x140016670
                                                                                                WTSDisconnectSession100x14002e280
                                                                                                WTSEnableChildSessions110x14001d394
                                                                                                WTSEnumerateListenersA120x140008b14
                                                                                                WTSEnumerateListenersW130x14000ae90
                                                                                                WTSEnumerateProcessesA140x140006aa4
                                                                                                WTSEnumerateProcessesExA150x140036e0c
                                                                                                WTSEnumerateProcessesExW160x14003dd78
                                                                                                WTSEnumerateProcessesW170x1400040c8
                                                                                                WTSEnumerateServersA180x140035160
                                                                                                WTSEnumerateServersW190x140038de0
                                                                                                WTSEnumerateSessionsA200x140031ca8
                                                                                                WTSEnumerateSessionsExA210x14000d828
                                                                                                WTSEnumerateSessionsExW220x14001fae0
                                                                                                WTSEnumerateSessionsW230x1400287b8
                                                                                                WTSFreeMemory240x14002b15c
                                                                                                WTSFreeMemoryExA250x140029c60
                                                                                                WTSFreeMemoryExW260x14000a54c
                                                                                                WTSGetChildSessionId270x140037034
                                                                                                WTSGetListenerSecurityA280x140010070
                                                                                                WTSGetListenerSecurityW290x14002dea0
                                                                                                WTSIsChildSessionsEnabled300x14002b160
                                                                                                WTSLogoffSession310x14002f53c
                                                                                                WTSOpenServerA320x140026a74
                                                                                                WTSOpenServerExA330x140028860
                                                                                                WTSOpenServerExW340x14002380c
                                                                                                WTSOpenServerW350x14002aa8c
                                                                                                WTSQueryListenerConfigA360x140019714
                                                                                                WTSQueryListenerConfigW370x1400401a4
                                                                                                WTSQuerySessionInformationA380x140030ae4
                                                                                                WTSQuerySessionInformationW390x140024f78
                                                                                                WTSQueryUserConfigA400x14002490c
                                                                                                WTSQueryUserConfigW410x14003dda8
                                                                                                WTSQueryUserToken420x140004d64
                                                                                                WTSRegisterSessionNotification430x140008d84
                                                                                                WTSRegisterSessionNotificationEx440x14001a96c
                                                                                                WTSSendMessageA450x14003dd78
                                                                                                WTSSendMessageW460x14000a2cc
                                                                                                WTSSetListenerSecurityA470x140037dec
                                                                                                WTSSetListenerSecurityW480x140033d00
                                                                                                WTSSetRenderHint490x1400309e8
                                                                                                WTSSetSessionInformationA500x140027a8c
                                                                                                WTSSetSessionInformationW510x140020908
                                                                                                WTSSetUserConfigA520x140013664
                                                                                                WTSSetUserConfigW530x14002f130
                                                                                                WTSShutdownSystem540x1400234cc
                                                                                                WTSStartRemoteControlSessionA550x14002f0b0
                                                                                                WTSStartRemoteControlSessionW560x140040e90
                                                                                                WTSStopRemoteControlSession570x14000daec
                                                                                                WTSTerminateProcess580x1400270d8
                                                                                                WTSUnRegisterSessionNotification590x14002c144
                                                                                                WTSUnRegisterSessionNotificationEx600x140035390
                                                                                                WTSVirtualChannelClose610x140042810
                                                                                                WTSVirtualChannelOpen620x140035678
                                                                                                WTSVirtualChannelOpenEx630x14002dff4
                                                                                                WTSVirtualChannelPurgeInput640x14000e808
                                                                                                WTSVirtualChannelPurgeOutput650x14003aacc
                                                                                                WTSVirtualChannelQuery660x1400235d4
                                                                                                WTSVirtualChannelRead670x140041888
                                                                                                WTSVirtualChannelWrite680x14000c228
                                                                                                WTSWaitSystemEvent690x140038334

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                LegalCopyright Microsoft Corporation. All rights
                                                                                                InternalNamedpnhup
                                                                                                FileVersion1.56
                                                                                                CompanyNameMicrosoft C
                                                                                                ProductNameSysinternals Streams
                                                                                                ProductVersion6.1
                                                                                                FileDescriptionThai K
                                                                                                OriginalFilenamedpnhupnp.d
                                                                                                Translation0x0409 0x04b0

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                No network behavior found

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:15:47:10
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\loaddll64.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll"
                                                                                                Imagebase:0x7ff72e730000
                                                                                                File size:140288 bytes
                                                                                                MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:15:47:11
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                                                                                                Imagebase:0x7ff64ce50000
                                                                                                File size:273920 bytes
                                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:15:47:12
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
                                                                                                Imagebase:0x7ff7ef960000
                                                                                                File size:69632 bytes
                                                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:15:47:12
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
                                                                                                Imagebase:0x7ff7ef960000
                                                                                                File size:69632 bytes
                                                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:15:47:14
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                Imagebase:0x7ff6b8cf0000
                                                                                                File size:3933184 bytes
                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:15:47:15
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
                                                                                                Imagebase:0x7ff7ef960000
                                                                                                File size:69632 bytes
                                                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:15:47:18
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
                                                                                                Imagebase:0x7ff7ef960000
                                                                                                File size:69632 bytes
                                                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:15:47:30
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                Imagebase:0x7ff73c930000
                                                                                                File size:51288 bytes
                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:15:48:17
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\sdclt.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\sdclt.exe
                                                                                                Imagebase:0x7ff60bf90000
                                                                                                File size:1210880 bytes
                                                                                                MD5 hash:0632A8402C6504CD541AC93676AAD0F5
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:15:48:18
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\CloudNotifications.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\CloudNotifications.exe
                                                                                                Imagebase:0x7ff793190000
                                                                                                File size:77072 bytes
                                                                                                MD5 hash:D9FF4C8DBC1682E0508322307CB89C0F
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:15:48:20
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
                                                                                                Imagebase:0x7ff740780000
                                                                                                File size:77072 bytes
                                                                                                MD5 hash:D9FF4C8DBC1682E0508322307CB89C0F
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

                                                                                                General

                                                                                                Target ID:22
                                                                                                Start time:15:48:33
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\systemreset.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\systemreset.exe
                                                                                                Imagebase:0x7ff764df0000
                                                                                                File size:506184 bytes
                                                                                                MD5 hash:872AE9FE08ED1AA78208678967BE2FEF
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:25
                                                                                                Start time:15:48:34
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\Dxpserver.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\Dxpserver.exe
                                                                                                Imagebase:0x7ff7a7db0000
                                                                                                File size:304640 bytes
                                                                                                MD5 hash:DCCB1D350193BE0A26CEAFF602DB848E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:26
                                                                                                Start time:15:48:38
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
                                                                                                Imagebase:0x7ff7540f0000
                                                                                                File size:304640 bytes
                                                                                                MD5 hash:DCCB1D350193BE0A26CEAFF602DB848E
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, Metadefender, Browse
                                                                                                • Detection: 0%, ReversingLabs

                                                                                                General

                                                                                                Target ID:28
                                                                                                Start time:15:48:49
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\mfpmp.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\mfpmp.exe
                                                                                                Imagebase:0x7ff6cc190000
                                                                                                File size:49688 bytes
                                                                                                MD5 hash:7C3D09D6DB5DB4A272FCF4C1BB3986BD
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:29
                                                                                                Start time:15:48:51
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
                                                                                                Imagebase:0x7ff670a40000
                                                                                                File size:49688 bytes
                                                                                                MD5 hash:7C3D09D6DB5DB4A272FCF4C1BB3986BD
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security

                                                                                                General

                                                                                                Target ID:30
                                                                                                Start time:15:49:06
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\msra.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\msra.exe
                                                                                                Imagebase:0x7ff7a2430000
                                                                                                File size:600064 bytes
                                                                                                MD5 hash:3240CC226FB8AC41A0431A8F3B9DD770
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:31
                                                                                                Start time:15:49:06
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\mstsc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\mstsc.exe
                                                                                                Imagebase:0x7ff633000000
                                                                                                File size:3640832 bytes
                                                                                                MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:33
                                                                                                Start time:15:49:08
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Users\user\AppData\Local\n0R5g\mstsc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\n0R5g\mstsc.exe
                                                                                                Imagebase:0x7ff7b8700000
                                                                                                File size:3640832 bytes
                                                                                                MD5 hash:3FBB5CD8829E9533D0FF5819DB0444C0
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security

                                                                                                General

                                                                                                Target ID:34
                                                                                                Start time:15:49:25
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Windows\System32\SndVol.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\SndVol.exe
                                                                                                Imagebase:0x7ff62b390000
                                                                                                File size:259904 bytes
                                                                                                MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language

                                                                                                General

                                                                                                Target ID:35
                                                                                                Start time:15:49:27
                                                                                                Start date:23/03/2022
                                                                                                Path:C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
                                                                                                Imagebase:0x7ff742cd0000
                                                                                                File size:259904 bytes
                                                                                                MD5 hash:CDD7C7DF2D0859AC3F4088423D11BD08
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 0%, Metadefender, Browse
                                                                                                • Detection: 0%, ReversingLabs

                                                                                                Disassembly

                                                                                                No disassembly