Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mpXUd364Rz

Overview

General Information

Sample Name:mpXUd364Rz (renamed file extension from none to dll)
Analysis ID:595330
MD5:76a03b741a85be73b47b1a72cea1becb
SHA1:f453704ee0177d5771766870bc871e7c048a6c61
SHA256:7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 864 cmdline: loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 3892 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5488 cmdline: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • MDMAppInstaller.exe (PID: 6560 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • MDMAppInstaller.exe (PID: 6568 cmdline: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • iexpress.exe (PID: 6676 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • wextract.exe (PID: 6804 cmdline: C:\Windows\system32\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • wextract.exe (PID: 6812 cmdline: C:\Users\user\AppData\Local\xwE\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • SystemPropertiesAdvanced.exe (PID: 7000 cmdline: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)
        • FileHistory.exe (PID: 7120 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 7132 cmdline: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • iexpress.exe (PID: 580 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 3396 cmdline: C:\Users\user\AppData\Local\KGg\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • sppsvc.exe (PID: 1236 cmdline: C:\Windows\system32\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • sppsvc.exe (PID: 4452 cmdline: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • InfDefaultInstall.exe (PID: 5136 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)
    • rundll32.exe (PID: 5420 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3676 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              31.2.FileHistory.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                25.2.wextract.exe.7ffff6cc0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  9.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    33.2.iexpress.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 8 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3892, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ProcessId: 5488
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: mpXUd364Rz.dllVirustotal: Detection: 64%Perma Link
                      Source: mpXUd364Rz.dllMetadefender: Detection: 62%Perma Link
                      Source: mpXUd364Rz.dllReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sample
                      Source: mpXUd364Rz.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Machine Learning detection for sample
                      Source: mpXUd364Rz.dllJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,
                      Source: mpXUd364Rz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1ED10 FindFirstFileExW,
                      Source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 8.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.FileHistory.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.wextract.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.iexpress.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.iexpress.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.MDMAppInstaller.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.sppsvc.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll64.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                      System Summary

                      barindex
                      PE file contains section with special chars
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E55297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2005020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2023150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20059F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20197D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20382A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2000300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2035B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2004360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2034390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2024BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2039410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2000020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2025840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FED890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2006130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2036950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2009990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20021D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20091F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20089F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2020650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20006A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2030F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2030770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2035760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2044FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2005CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2003CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2000D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFD550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20025C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2002E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E934
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A19D4
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A49FF
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C194648
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C199630
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C193FAC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C196BDC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9897D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99DDC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AD520
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98A2C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97BAE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98CA50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97AA70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9759F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF993150
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975020
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF967880
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF958FC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95A7D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BB7A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96E7B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF964800
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF941010
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF966FE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9B4FF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF962F50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96872B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A0F30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BEF80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AC780
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF946790
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A5760
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A0770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BBF6F
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7EC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9706A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96F6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AA6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF990650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF941620
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94DE20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF947E80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF946E90
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF958670
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9595C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9725C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94C5A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF972E10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9565E0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963D50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96D550
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF998D20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF971D30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC590
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF959D70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF953CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4AD
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A2CA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4A6
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4B6
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF970D10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF973CF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF945C20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF955420
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE48B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96AC80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE49D
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AA490
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE494
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF994BC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BFC00
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE400
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF957410
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A9410
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9523F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963340
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF958340
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF945350
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A5B50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94BB20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF971B30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A4390
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF974360
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9692C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99F2C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9922C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96DAA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A82A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AAAA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF970300
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96A310
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9682E0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A2AE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7AF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF947A40
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97B250
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AB260
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9669C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9721D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96E9A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E9B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9611B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9791F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9789F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96F1F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF964140
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A6950
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF976130
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF942980
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF979990
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AB960
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9418D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9508B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC8B1
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94B100
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E110
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963910
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC0EB
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF995840
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF965050
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF970020
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9C0820
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96C030
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95D890
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97F870
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98F870
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3AEC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2D14
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD16FC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD47B0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDB0D0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD18D0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD14BC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD9F6C
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD9D28
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD8244
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3440
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E553D64
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E556418
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551C00
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E553310
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5557D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E555E98
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E552AB4
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D27650
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D097D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF5CD0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1DDC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2D520
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFBAE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0A2C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFAA70
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0CA50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE7880
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF5020
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF59F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D13150
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D27EC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEF6B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF06A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2A6B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD8670
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC6E90
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC7E80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D10650
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC1620
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCDE20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE6FE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC1010
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D34FF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE4800
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEE7B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3B7A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDA7D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD8FC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3EF80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2C780
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE770
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D25760
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC6790
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D20770
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3BF6F
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE872B
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE2F50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D20F30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF3CF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF0D10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D22CA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4A6
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4AD
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD3CD0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4B6
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E48B
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2A490
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E494
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E49D
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEAC80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC5C20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD5420
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD65E0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE3610
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF2E10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCC5A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD95C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF25C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD9D70
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C590
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF1D30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D18D20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE3D50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CED550
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE82E0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D22AE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEA310
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D27AF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF0300
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1F2C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D122C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEDAA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D282A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2AAA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE92C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2B260
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFB250
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC7A40
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3FC00
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E400
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD23F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D29410
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD7410
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D14BC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D24390
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF4360
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF1B30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D25B50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCBB20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC5350
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE3340
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD8340
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE110
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE3910
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C0EB
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCB100
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD08B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC18D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C8B1
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFF870
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDD890
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0F870
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D15840
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEC030
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF0020
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D40820
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE5050
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF91F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF89F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEF1F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE9B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE11B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEE9A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF21D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE69C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2B960
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF9990
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC2980
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF6130
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D26950
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE4140
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE5020
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DFA2C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEAA70
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DFCA50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE5CD0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0DDC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBB100
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE110
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD3910
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB18D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC08B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD7880
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCD890
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEF870
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E05840
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD5050
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE0020
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDC030
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE59F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDF1F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE91F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE89F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD69C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE21D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDE9A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE9B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD11B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB2980
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE9990
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1B960
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E16950
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD4140
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E03150
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE6130
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE0300
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDA310
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD82E0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEBAE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E12AE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD92C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0F2C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDDAA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E182A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1AAA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1B260
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB7A40
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEB250
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E19410
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1E400
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC7410
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC23F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E04BC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E14390
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE4360
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E15B50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD3340
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC8340
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB5350
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBBB20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE1B30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE0D10
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE3CF0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC3CD0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E12CA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDAC80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC5420
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB5C20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE2E10
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD3610
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC65E0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE25C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC95C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBC5A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC9D70
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDD550
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD3D50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1D520
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE1D30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E17EC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE06A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDF6B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB7E80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB6E90
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC8670
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E17650
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E00650
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBDE20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB1620
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD4800
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB1010
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E24FF0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD6FE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC8FC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCA7D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DF97D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E2B7A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDE7B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E2EF80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB6790
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E10770
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E15760
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE770
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD2F50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E10F30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD872B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: String function: 00007FF77C196124 appears 108 times
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: String function: 00007FF77C195F34 appears 75 times
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C199630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2017770 NtClose,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203D520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF965F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF987770 NtClose,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97CE20 NtDuplicateObject,NtClose,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AD520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97BAE0 NtReadVirtualMemory,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98F150 NtDelayExecution,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF978060 NtReadVirtualMemory,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D07770 NtClose,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2D520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFBAE0 NtReadVirtualMemory,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DF7770 NtClose,
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\KGg\iexpress.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeSection loaded: kernel34.dll
                      Source: WTSAPI32.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: XmlLite.dll0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll1.6.drStatic PE information: Number of sections : 71 > 10
                      Source: SYSDM.CPL.6.drStatic PE information: Number of sections : 71 > 10
                      Source: UxTheme.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: newdev.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: XmlLite.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: mpXUd364Rz.dllStatic PE information: Number of sections : 70 > 10
                      Source: SYSDM.CPL0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: mpXUd364Rz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SYSDM.CPL.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SYSDM.CPL0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: newdev.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll1.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: mpXUd364Rz.dllVirustotal: Detection: 64%
                      Source: mpXUd364Rz.dllMetadefender: Detection: 62%
                      Source: mpXUd364Rz.dllReversingLabs: Detection: 88%
                      Source: mpXUd364Rz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@49/22@0/0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3134 CoCreateInstance,CoSetProxyBlanket,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E556418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD7FF4 _lwrite,_lwrite,GetLastError,FormatMessageA,LoadStringA,MessageBoxA,LocalFree,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeMutant created: \Sessions\1\BaseNamedObjects\{2b9f69fc-d942-5108-1b7e-06ce6cc163c0}
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeMutant created: \Sessions\1\BaseNamedObjects\{201a9ced-b6b9-3ccf-1f9b-f23e480bd0ad}
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD7600 CompareStringA,FindResourceExA,free,free,SizeofResource,malloc,memset,LoadResource,free,LockResource,memcpy,FreeResource,
                      Source: mpXUd364Rz.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: mpXUd364Rz.dllStatic file information: File size 1421312 > 1048576
                      Source: mpXUd364Rz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BD500 push rax; iretd
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3D500 push rax; iretd
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vxl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qwubgr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .eer
                      Source: mpXUd364Rz.dllStatic PE information: section name: .xwwauf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pkc
                      Source: mpXUd364Rz.dllStatic PE information: section name: .npkda
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vhs
                      Source: mpXUd364Rz.dllStatic PE information: section name: .iaywj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nasi
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zhvprh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .yatdsp
                      Source: mpXUd364Rz.dllStatic PE information: section name: .njso
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lgliat
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ntqjh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .sucsek
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qsxjui
                      Source: mpXUd364Rz.dllStatic PE information: section name: .twctcm
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nms
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ogj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vrkgb
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gikfw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ktl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .crcn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .wtfr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .hep
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ywg
                      Source: mpXUd364Rz.dllStatic PE information: section name: .sqsp
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gzb
                      Source: mpXUd364Rz.dllStatic PE information: section name: .fatlss
                      Source: mpXUd364Rz.dllStatic PE information: section name: .plqa
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vzt
                      Source: mpXUd364Rz.dllStatic PE information: section name: .dsbyd
                      Source: mpXUd364Rz.dllStatic PE information: section name: .cdelc
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qkhkj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mnzegr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .krw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .jvsmn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .bygpq
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kzdbu
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mwxorn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .raf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zcyw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zeczh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pvv
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lug
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ski
                      Source: mpXUd364Rz.dllStatic PE information: section name: .japjd
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mwtzml
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vgssf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gsroye
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vcmr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kvjqnl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zlu
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nrcvk
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pfz
                      Source: mpXUd364Rz.dllStatic PE information: section name: .hxz
                      Source: mpXUd364Rz.dllStatic PE information: section name: .snjrs
                      Source: mpXUd364Rz.dllStatic PE information: section name: .bffts
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gknvh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mifiod
                      Source: mpXUd364Rz.dllStatic PE information: section name: .whmsy
                      Source: mpXUd364Rz.dllStatic PE information: section name: .wtuzur
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lwtn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kuh
                      Source: FileHistory.exe.6.drStatic PE information: section name: .nep
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: MDMAppInstaller.exe.6.drStatic PE information: section name: .didat
                      Source: MusNotificationUx.exe.6.drStatic PE information: section name: .imrsiv
                      Source: MusNotificationUx.exe.6.drStatic PE information: section name: .didat
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vxl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qwubgr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .eer
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .xwwauf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pkc
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .npkda
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vhs
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .iaywj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nasi
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zhvprh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .yatdsp
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .njso
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lgliat
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ntqjh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .sucsek
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qsxjui
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .twctcm
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nms
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ogj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vrkgb
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gikfw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ktl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .crcn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .wtfr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .hep
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ywg
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .sqsp
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gzb
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .fatlss
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .plqa
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vzt
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .dsbyd
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .cdelc
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qkhkj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mnzegr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .krw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .jvsmn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .bygpq
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kzdbu
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mwxorn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .raf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zcyw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zeczh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pvv
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lug
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ski
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .japjd
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mwtzml
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vgssf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gsroye
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vcmr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kvjqnl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zlu
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nrcvk
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pfz
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .hxz
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .snjrs
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .bffts
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gknvh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mifiod
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .whmsy
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .wtuzur
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lwtn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kuh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .repb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vxl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qwubgr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .eer
                      Source: UxTheme.dll.6.drStatic PE information: section name: .xwwauf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pkc
                      Source: UxTheme.dll.6.drStatic PE information: section name: .npkda
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vhs
                      Source: UxTheme.dll.6.drStatic PE information: section name: .iaywj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nasi
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zhvprh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .yatdsp
                      Source: UxTheme.dll.6.drStatic PE information: section name: .njso
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lgliat
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ntqjh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .sucsek
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qsxjui
                      Source: UxTheme.dll.6.drStatic PE information: section name: .twctcm
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nms
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ogj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vrkgb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gikfw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ktl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .crcn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .wtfr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .hep
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ywg
                      Source: UxTheme.dll.6.drStatic PE information: section name: .sqsp
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gzb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .fatlss
                      Source: UxTheme.dll.6.drStatic PE information: section name: .plqa
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vzt
                      Source: UxTheme.dll.6.drStatic PE information: section name: .dsbyd
                      Source: UxTheme.dll.6.drStatic PE information: section name: .cdelc
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qkhkj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mnzegr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .krw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .jvsmn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .bygpq
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kzdbu
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mwxorn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .raf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zcyw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zeczh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pvv
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lug
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ski
                      Source: UxTheme.dll.6.drStatic PE information: section name: .japjd
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mwtzml
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vgssf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gsroye
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vcmr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zlu
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nrcvk
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pfz
                      Source: UxTheme.dll.6.drStatic PE information: section name: .hxz
                      Source: UxTheme.dll.6.drStatic PE information: section name: .snjrs
                      Source: UxTheme.dll.6.drStatic PE information: section name: .bffts
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gknvh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mifiod
                      Source: UxTheme.dll.6.drStatic PE information: section name: .whmsy
                      Source: UxTheme.dll.6.drStatic PE information: section name: .wtuzur
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lwtn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kuh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gwvj
                      Source: VERSION.dll.6.drStatic PE information: section name: .vxl
                      Source: VERSION.dll.6.drStatic PE information: section name: .qwubgr
                      Source: VERSION.dll.6.drStatic PE information: section name: .eer
                      Source: VERSION.dll.6.drStatic PE information: section name: .xwwauf
                      Source: VERSION.dll.6.drStatic PE information: section name: .pkc
                      Source: VERSION.dll.6.drStatic PE information: section name: .npkda
                      Source: VERSION.dll.6.drStatic PE information: section name: .vhs
                      Source: VERSION.dll.6.drStatic PE information: section name: .iaywj
                      Source: VERSION.dll.6.drStatic PE information: section name: .nasi
                      Source: VERSION.dll.6.drStatic PE information: section name: .zhvprh
                      Source: VERSION.dll.6.drStatic PE information: section name: .yatdsp
                      Source: VERSION.dll.6.drStatic PE information: section name: .njso
                      Source: VERSION.dll.6.drStatic PE information: section name: .lgliat
                      Source: VERSION.dll.6.drStatic PE information: section name: .ntqjh
                      Source: VERSION.dll.6.drStatic PE information: section name: .sucsek
                      Source: VERSION.dll.6.drStatic PE information: section name: .qsxjui
                      Source: VERSION.dll.6.drStatic PE information: section name: .twctcm
                      Source: VERSION.dll.6.drStatic PE information: section name: .nms
                      Source: VERSION.dll.6.drStatic PE information: section name: .ogj
                      Source: VERSION.dll.6.drStatic PE information: section name: .vrkgb
                      Source: VERSION.dll.6.drStatic PE information: section name: .gikfw
                      Source: VERSION.dll.6.drStatic PE information: section name: .ktl
                      Source: VERSION.dll.6.drStatic PE information: section name: .crcn
                      Source: VERSION.dll.6.drStatic PE information: section name: .wtfr
                      Source: VERSION.dll.6.drStatic PE information: section name: .hep
                      Source: VERSION.dll.6.drStatic PE information: section name: .ywg
                      Source: VERSION.dll.6.drStatic PE information: section name: .sqsp
                      Source: VERSION.dll.6.drStatic PE information: section name: .gzb
                      Source: VERSION.dll.6.drStatic PE information: section name: .fatlss
                      Source: VERSION.dll.6.drStatic PE information: section name: .plqa
                      Source: VERSION.dll.6.drStatic PE information: section name: .vzt
                      Source: VERSION.dll.6.drStatic PE information: section name: .dsbyd
                      Source: VERSION.dll.6.drStatic PE information: section name: .cdelc
                      Source: VERSION.dll.6.drStatic PE information: section name: .qkhkj
                      Source: VERSION.dll.6.drStatic PE information: section name: .mnzegr
                      Source: VERSION.dll.6.drStatic PE information: section name: .krw
                      Source: VERSION.dll.6.drStatic PE information: section name: .jvsmn
                      Source: VERSION.dll.6.drStatic PE information: section name: .bygpq
                      Source: VERSION.dll.6.drStatic PE information: section name: .kzdbu
                      Source: VERSION.dll.6.drStatic PE information: section name: .mwxorn
                      Source: VERSION.dll.6.drStatic PE information: section name: .raf
                      Source: VERSION.dll.6.drStatic PE information: section name: .zcyw
                      Source: VERSION.dll.6.drStatic PE information: section name: .zeczh
                      Source: VERSION.dll.6.drStatic PE information: section name: .pvv
                      Source: VERSION.dll.6.drStatic PE information: section name: .lug
                      Source: VERSION.dll.6.drStatic PE information: section name: .ski
                      Source: VERSION.dll.6.drStatic PE information: section name: .japjd
                      Source: VERSION.dll.6.drStatic PE information: section name: .mwtzml
                      Source: VERSION.dll.6.drStatic PE information: section name: .vgssf
                      Source: VERSION.dll.6.drStatic PE information: section name: .gsroye
                      Source: VERSION.dll.6.drStatic PE information: section name: .vcmr
                      Source: VERSION.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: VERSION.dll.6.drStatic PE information: section name: .zlu
                      Source: VERSION.dll.6.drStatic PE information: section name: .nrcvk
                      Source: VERSION.dll.6.drStatic PE information: section name: .pfz
                      Source: VERSION.dll.6.drStatic PE information: section name: .hxz
                      Source: VERSION.dll.6.drStatic PE information: section name: .snjrs
                      Source: VERSION.dll.6.drStatic PE information: section name: .bffts
                      Source: VERSION.dll.6.drStatic PE information: section name: .gknvh
                      Source: VERSION.dll.6.drStatic PE information: section name: .mifiod
                      Source: VERSION.dll.6.drStatic PE information: section name: .whmsy
                      Source: VERSION.dll.6.drStatic PE information: section name: .wtuzur
                      Source: VERSION.dll.6.drStatic PE information: section name: .lwtn
                      Source: VERSION.dll.6.drStatic PE information: section name: .kuh
                      Source: VERSION.dll.6.drStatic PE information: section name: .dgn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .eer
                      Source: XmlLite.dll.6.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll.6.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll.6.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll.6.drStatic PE information: section name: .njso
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll.6.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nms
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hep
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll.6.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll.6.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll.6.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll.6.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll.6.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .krw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .raf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lug
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ski
                      Source: XmlLite.dll.6.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gsroye
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vcmr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zlu
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nrcvk
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pfz
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hxz
                      Source: XmlLite.dll.6.drStatic PE information: section name: .snjrs
                      Source: XmlLite.dll.6.drStatic PE information: section name: .bffts
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gknvh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mifiod
                      Source: XmlLite.dll.6.drStatic PE information: section name: .whmsy
                      Source: XmlLite.dll.6.drStatic PE information: section name: .wtuzur
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lwtn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kuh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hmklaw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vxl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qwubgr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .eer
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .xwwauf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pkc
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .npkda
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vhs
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .iaywj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nasi
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zhvprh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .yatdsp
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .njso
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lgliat
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ntqjh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .sucsek
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qsxjui
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .twctcm
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nms
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ogj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vrkgb
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gikfw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ktl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .crcn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .wtfr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .hep
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ywg
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .sqsp
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gzb
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .fatlss
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .plqa
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vzt
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .dsbyd
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .cdelc
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qkhkj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mnzegr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .krw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .jvsmn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .bygpq
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kzdbu
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mwxorn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .raf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zcyw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zeczh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pvv
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lug
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ski
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .japjd
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mwtzml
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vgssf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gsroye
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vcmr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kvjqnl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zlu
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nrcvk
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pfz
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .hxz
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .snjrs
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .bffts
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gknvh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mifiod
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .whmsy
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .wtuzur
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lwtn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kuh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .azm
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vxl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qwubgr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .eer
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .xwwauf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pkc
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .npkda
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vhs
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .iaywj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nasi
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zhvprh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .yatdsp
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .njso
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lgliat
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ntqjh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .sucsek
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qsxjui
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .twctcm
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nms
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ogj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vrkgb
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gikfw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ktl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .crcn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wtfr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .hep
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ywg
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .sqsp
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gzb
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .fatlss
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .plqa
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vzt
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .dsbyd
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .cdelc
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qkhkj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mnzegr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .krw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .jvsmn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .bygpq
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kzdbu
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mwxorn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .raf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zcyw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zeczh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pvv
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lug
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ski
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .japjd
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mwtzml
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vgssf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gsroye
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vcmr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zlu
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nrcvk
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pfz
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .hxz
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .snjrs
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .bffts
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gknvh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mifiod
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .whmsy
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wtuzur
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lwtn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kuh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wdajq
                      Source: newdev.dll.6.drStatic PE information: section name: .vxl
                      Source: newdev.dll.6.drStatic PE information: section name: .qwubgr
                      Source: newdev.dll.6.drStatic PE information: section name: .eer
                      Source: newdev.dll.6.drStatic PE information: section name: .xwwauf
                      Source: newdev.dll.6.drStatic PE information: section name: .pkc
                      Source: newdev.dll.6.drStatic PE information: section name: .npkda
                      Source: newdev.dll.6.drStatic PE information: section name: .vhs
                      Source: newdev.dll.6.drStatic PE information: section name: .iaywj
                      Source: newdev.dll.6.drStatic PE information: section name: .nasi
                      Source: newdev.dll.6.drStatic PE information: section name: .zhvprh
                      Source: newdev.dll.6.drStatic PE information: section name: .yatdsp
                      Source: newdev.dll.6.drStatic PE information: section name: .njso
                      Source: newdev.dll.6.drStatic PE information: section name: .lgliat
                      Source: newdev.dll.6.drStatic PE information: section name: .ntqjh
                      Source: newdev.dll.6.drStatic PE information: section name: .sucsek
                      Source: newdev.dll.6.drStatic PE information: section name: .qsxjui
                      Source: newdev.dll.6.drStatic PE information: section name: .twctcm
                      Source: newdev.dll.6.drStatic PE information: section name: .nms
                      Source: newdev.dll.6.drStatic PE information: section name: .ogj
                      Source: newdev.dll.6.drStatic PE information: section name: .vrkgb
                      Source: newdev.dll.6.drStatic PE information: section name: .gikfw
                      Source: newdev.dll.6.drStatic PE information: section name: .ktl
                      Source: newdev.dll.6.drStatic PE information: section name: .crcn
                      Source: newdev.dll.6.drStatic PE information: section name: .wtfr
                      Source: newdev.dll.6.drStatic PE information: section name: .hep
                      Source: newdev.dll.6.drStatic PE information: section name: .ywg
                      Source: newdev.dll.6.drStatic PE information: section name: .sqsp
                      Source: newdev.dll.6.drStatic PE information: section name: .gzb
                      Source: newdev.dll.6.drStatic PE information: section name: .fatlss
                      Source: newdev.dll.6.drStatic PE information: section name: .plqa
                      Source: newdev.dll.6.drStatic PE information: section name: .vzt
                      Source: newdev.dll.6.drStatic PE information: section name: .dsbyd
                      Source: newdev.dll.6.drStatic PE information: section name: .cdelc
                      Source: newdev.dll.6.drStatic PE information: section name: .qkhkj
                      Source: newdev.dll.6.drStatic PE information: section name: .mnzegr
                      Source: newdev.dll.6.drStatic PE information: section name: .krw
                      Source: newdev.dll.6.drStatic PE information: section name: .jvsmn
                      Source: newdev.dll.6.drStatic PE information: section name: .bygpq
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary,
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: 0xB26F15BA [Tue Nov 11 10:21:46 2064 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xwE\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tivYqgA\InfDefaultInstall.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KGg\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KGg\iexpress.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xwE\wextract.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JvUQhw\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3AEC CompareStringA,GetPrivateProfileStringA,CompareStringA,CompareStringA,toupper,strchr,strchr,LocalAlloc,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,toupper,LocalAlloc,LocalAlloc,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalFree,memcpy_s,LocalFree,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD30D8 GetPrivateProfileStringA,LocalAlloc,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD6C64 GetFileAttributesA,SetFileAttributesA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileSectionA,GetPrivateProfileStringA,SetFileAttributesA,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDD620 GetPrivateProfileStringA,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3440 WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,WritePrivateProfileStringA,LocalAlloc,GetPrivateProfileStringA,LocalFree,GetPrivateProfileStringA,WritePrivateProfileStringA,LocalFree,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5515C8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exe TID: 6556Thread sleep count: 68 > 30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeLast function: Thread delayed
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeAPI coverage: 8.1 %
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeAPI coverage: 0.6 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202DDC0 GetSystemInfo,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1ED10 FindFirstFileExW,
                      Source: explorer.exe, 00000006.00000000.263903097.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ged:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: explorer.exe, 00000006.00000000.276835861.000000000405B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
                      Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000006.00000000.247295653.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Gz?S
                      Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000006.00000000.245814685.000000000513E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C192890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A4D20 GetProcessHeap,HeapFree,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20197D0 LdrLoadDll,FindClose,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3DF0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDEC60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDEF50 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E557A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E557D70 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeCode function: 29_2_00007FF773111430 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeCode function: 29_2_00007FF7731116B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FF6F1247570 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FF6F12477EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: SYSDM.CPL.6.drJump to dropped file
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF802C5EFE0 protect: page execute and read and write
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF802C5E000 protect: page execute read
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF8024E2A20 protect: page execute and read and write
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
                      Uses Atom Bombing / ProGate to inject into other processes
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5512A0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.247216161.0000000005610000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000006.00000000.274591286.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeQueries volume information: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe VolumeInformation
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A260C GetSystemTimeAsFileTime,EnterCriticalSection,LeaveCriticalSection,??3@YAXPEAX@Z,
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDE5F0 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CharNextA,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2019400 GetUserNameW,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		2
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		11
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      System Shutdown/Reboot
                      Default Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		11
                      Access Token Manipulation                      		1
                      Valid Accounts                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)312
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		Security Account Manager21
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		NTDS1
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                      Access Token Manipulation                      		LSA Secrets3
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common312
                      Process Injection                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Deobfuscate/Decode Files or Information                      		DCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
                      Obfuscated Files or Information                      		Proc Filesystem1
                      File and Directory Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadow26
                      System Information Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)2
                      Software Packing                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                      Timestomp                      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
                      DLL Side-Loading                      		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 595330 Sample: mpXUd364Rz Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 3 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\newdev.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\SYSDM.CPL, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 17 other files (3 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 MDMAppInstaller.exe 19->25         started        27 iexpress.exe 19->27         started        29 SystemPropertiesAdvanced.exe 19->29         started        31 14 other processes 19->31 signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      mpXUd364Rz.dll64%VirustotalBrowse
                      mpXUd364Rz.dll63%MetadefenderBrowse
                      mpXUd364Rz.dll88%ReversingLabsWin64.Trojan.Occamy
                      mpXUd364Rz.dll100%AviraTR/Crypt.ZPACK.Gen
                      mpXUd364Rz.dll100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      25.2.wextract.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.2.FileHistory.exe.7ffff0db0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1eb1b660000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      40.2.SystemPropertiesComputerName.exe.1dff2b20000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      20.2.MDMAppInstaller.exe.1ef82540000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      23.2.iexpress.exe.21c94820000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      1.2.loaddll64.exe.21a154b0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      31.2.FileHistory.exe.171f47e0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.254a2cf0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      33.2.iexpress.exe.1f07aa30000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      33.2.iexpress.exe.7ffff0db0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.18fac3a0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.iexpress.exe.7fffef940000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      36.2.sppsvc.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.MDMAppInstaller.exe.7fffef940000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.208b54f0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.wextract.exe.10ab1440000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      36.2.sppsvc.exe.1ea000d0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      1.2.loaddll64.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.2.SystemPropertiesAdvanced.exe.1efc2bf0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:595330
                      Start date and time:2022-03-23 15:11:09 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 15m 50s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:mpXUd364Rz (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:41
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@49/22@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 16.3% (good quality ratio 14.2%)
                      • Quality average: 58.7%
                      • Quality standard deviation: 32.6%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916186540013407
                      Encrypted:false
                      SSDEEP:12288:VZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:VZK6F7n5eRmDFJivohZFV
                      MD5:20DE3CEA2C5D6DAD1923E41BD1EB49B3
                      SHA1:C4B64DC5F509A22228E36B5B103945243A2A5A85
                      SHA-256:4DF8884826C1D1CB89429FD439F60355ADC6B9EC9E099860C36F3F4ADE20519A
                      SHA-512:8B70ED002411F4C1D1F774769183F4D53B90A3C7E84248B5C9B6352D739A6C7D1929E728EAA39EEB6A2C43C5B5927049D772A1B36C82C04EBB97FB923B349CDE
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):4527680
                      Entropy (8bit):7.180545050051135
                      Encrypted:false
                      SSDEEP:49152:hzB335WOshFXigiF5l5mpb0+bOnBmB8XEsDfA+uLCKls0did8Pf6ZJ6t3Ovenev1:8X5iFrEpdAkZ6W3xYBP149K
                      MD5:FEEC8055C5986182C717DD888000AEF6
                      SHA1:7749D1C531D85C69047576B3BB3525E0B01A2942
                      SHA-256:E09B7B1DE43A226842A4B8C591D712E51585BC7E8A39CFB8852CBF16D234C3A6
                      SHA-512:822869C750682453770C66D7C6665CECCCB0BB27ECEB8E0A9202FE5C194249235928005734504AED79D80583CED2A2F203D4133A11E7F4A8D6160F21F7F3919F
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..C..C..C...@..C.......C...G...C...F..C...B...C..B...C...J...C...@..C.....C...A..C.Rich.C.........PE..d...A.Lc..........".......8.........P..........@................CS P..........D.....4.E.....................................................|.A.......D..+....B.4|...ZD.@....@D..n....?.T....................i:.(....h:.............8i:..............................text...L.7.......7................. ..`?g_Encry.-....7.......7............. ..`?g_Encry|-... 8.......8............. ..`?g_Encry.....P8..0...<8............. ..`?g_Encry.-....8......l8............. ..`.rdata........8.......8.............@..@.data.........A.......A.............@....pdata..4|....B..~...BB.............@..@.rsrc....+....D..,....C.............@..@.reloc...n...@D..n....C.............@..B................................................................................................

                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.9173299589094634
                      Encrypted:false
                      SSDEEP:12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
                      MD5:E7C3A342B1FB434A7AF4A61759320B4F
                      SHA1:B23C4D3A98FD042BE1BE555FC962DE774D9226C2
                      SHA-256:F7DF6CCE9489C21D1F9385BFB40FD5E0DCF8AD962A6A0CF20986EDC6A37829FC
                      SHA-512:5253DAF18B82A2F11C42F11E98A73506DDA77FAF253330DA997770B7FCF62E2AA93AAAF50DA4F34FC549C19A74EF8D11DF31C5CACBDF7BE271F93229A7319954
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):165888
                      Entropy (8bit):6.756750968049146
                      Encrypted:false
                      SSDEEP:3072:oV6Rb3NlzO8Lwmq1cXNDnGOb+ahXNqJohePnq45L840:Y6TdOQXNDGOb+asEwv5L
                      MD5:5EF563C2A4E7B7F4100ECD13B304FC48
                      SHA1:4609D795D758A16B8703CA2E01F250D33816CB81
                      SHA-256:2DFA704A6C0DAAEF91BEF043BA6E3F5B5D2516C97AFFBD39EC2C7278497B1688
                      SHA-512:C372777121C0924519FC2EFDFF461B97B048D845AF14142680A4E95B9679D65583332788322CC87B98D3B1D8E28D0B1AFF74881B63BDA17434E4A8187B6D7CA9
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.............d......d......d......d.............d......dd.....d.....Rich............................PE..d....1............"............................@.........................................`.......... ...................................................W...p..........................T...........................@...............@...(............................text............................... ..`.rdata...........0..................@..@.data...42...0......................@....pdata.......p.......&..............@..@.rsrc....W.......X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):319488
                      Entropy (8bit):6.069929843481676
                      Encrypted:false
                      SSDEEP:6144:NRq8Ez5tCqd6Nr6/TWeRhUz/vMNuEob69hbF1m0lpVGMD8i3ZdTgDt0kcRkdXgl6:NRquQ/TWeRhUz/vMNuEob69hBblHGu3t
                      MD5:114A55D75AC7447F012B6D8EC8B1F7FC
                      SHA1:37D5636D940D0A948000B94C84AD6C41162E593F
                      SHA-256:E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
                      SHA-512:446FD3024710E6994A0085CF3ADC0E395BE131898D7D932B383A19981C41637D27D9DABFB2177DBB62375CF4CCFC13722F5B828FF0FA9BB691F220A73D035586
                      Malicious:false
                      Antivirus:
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.m.Q.>.Q.>.Q.>.)E>.Q.>.5.?.Q.>.5.?.Q.>.Q.>+Q.>.5.?.Q.>.5.?.Q.>.5.?.Q.>.5)>.Q.>.5.?.Q.>Rich.Q.>........PE..d...O.Uf.........."..........(.......E.........@.............................@......e}............... ......................................8...\.... ..........x............0..........T............................................................................text...L........................... ..`.imrsiv..................................rdata..L...........................@..@.data...............................@....pdata..x...........................@..@.didat..x...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                      C:\Users\user\AppData\Local\JvUQhw\XmlLite.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916173894320798
                      Encrypted:false
                      SSDEEP:12288:MZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:MZK6F7n5eRmDFJivohZFV
                      MD5:BC35E5E3135D1B331132CF588262E918
                      SHA1:9F2F3A89B6716D3CB7E022DF721E950BAFD72035
                      SHA-256:9EB14525427FFD5471AE405B49AE241B8F5582814B58AD8362EB668D153CAC3E
                      SHA-512:DA0FD0C2CC0FEF6C3B29178D6E6EB9091A6FF8912A3C8896A2ABA77B94E0F4307AB283DFE51E0D8A8B7C41C0B2D60FB43F1BD17E18D3D8790483CC89E51B5444
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\KGg\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.917318419857222
                      Encrypted:false
                      SSDEEP:12288:UZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:UZK6F7n5eRmDFJivohZFV
                      MD5:B8D02635D9DDC84EF8C19EF7796742C1
                      SHA1:01B84411DCCEF7225B66814AC273008C1B0EB55E
                      SHA-256:4021794209EF32D64272F184892D6E4ADF21F07090CA6797A26BB4246B0D83B4
                      SHA-512:31F7C4F5F157EAD39569577785FAAA4292E34589EA0280C2E55AB1E1B5ECF34DF513C0672CD1A71499BC63619478D9CD907BEE00BA1D0CABC91DBB6095ED9709
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\KGg\iexpress.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):165888
                      Entropy (8bit):6.756750968049146
                      Encrypted:false
                      SSDEEP:3072:oV6Rb3NlzO8Lwmq1cXNDnGOb+ahXNqJohePnq45L840:Y6TdOQXNDGOb+asEwv5L
                      MD5:5EF563C2A4E7B7F4100ECD13B304FC48
                      SHA1:4609D795D758A16B8703CA2E01F250D33816CB81
                      SHA-256:2DFA704A6C0DAAEF91BEF043BA6E3F5B5D2516C97AFFBD39EC2C7278497B1688
                      SHA-512:C372777121C0924519FC2EFDFF461B97B048D845AF14142680A4E95B9679D65583332788322CC87B98D3B1D8E28D0B1AFF74881B63BDA17434E4A8187B6D7CA9
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.............d......d......d......d.............d......dd.....d.....Rich............................PE..d....1............"............................@.........................................`.......... ...................................................W...p..........................T...........................@...............@...(............................text............................... ..`.rdata...........0..................@..@.data...42...0......................@....pdata.......p.......&..............@..@.rsrc....W.......X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):42
                      Entropy (8bit):4.0050635535766075
                      Encrypted:false
                      SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                      MD5:84CFDB4B995B1DBF543B26B86C863ADC
                      SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                      SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                      SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                      Malicious:false
                      Reputation:unknown
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                      C:\Users\user\AppData\Local\SUX56B\FileHistory.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):246784
                      Entropy (8bit):6.054877934071265
                      Encrypted:false
                      SSDEEP:3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
                      MD5:989B5BDB2BEAC9F894BBC236F1B67967
                      SHA1:7B964642FEE2D6508E66C615AA6CF7FD95D6196E
                      SHA-256:FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
                      SHA-512:0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.928831100074685
                      Encrypted:false
                      SSDEEP:12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
                      MD5:0111789310AC76F95B2EAD6673ADCD80
                      SHA1:09E9622BBFC43CA138A90E85F73C417F845EA1F5
                      SHA-256:8BA36FF9D732805C39FE1718C0064E1D50B98D710BDB636059668DB275C9B5D6
                      SHA-512:1AF365AFC1233FF8C17402D35F8ED974954431BBB25835113E02A8DC7B0C729DC1C91E67B7CB5B8A1C420187ECD4C00B901D77075F15A9BD9323FCA47FB68710
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):145920
                      Entropy (8bit):5.742854541048038
                      Encrypted:false
                      SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
                      MD5:E2C777B6E3CE4C15C5657429A63787A3
                      SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
                      SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
                      SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.9258357946515945
                      Encrypted:false
                      SSDEEP:12288:WZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:WZK6F7n5eRmDFJivohZFV
                      MD5:F154D9E2FB9AD87BACB1397C9EC31231
                      SHA1:80024165D6485B67EBC2A779072C7151D625297B
                      SHA-256:0F244128762A4CB1C39A4DC45CBB15F1F5C0A5FF963C032C0A1C8F3E971CCA2D
                      SHA-512:BDC2F436372950E3829D323BC079A5426BFD6C5821786DA5A278226383CF851AA72FDACF125C40C1F4821CE902D0E3901AD70F3B08BC4833CBCA3B4E571B17CC
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.91669283258889
                      Encrypted:false
                      SSDEEP:12288:jZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:jZK6F7n5eRmDFJivohZFV
                      MD5:BA9ACA182F98152AD064B0FF5C7B6683
                      SHA1:ECB3A471CCF3347DE04A124D053574734217B68E
                      SHA-256:691A9F7A2F75780303A9F79B437A9C9D09686E41C51ADB721F0255385B27777E
                      SHA-512:7EA6C1F19CB7132AC068D4015FE6E474BA5604BA1D47B7494E9121A33515EADE3A087BB7ABF08C24B06026E6273272A086CBE83CF7A6D838DB52F7D4C090A3A3
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):83968
                      Entropy (8bit):7.0666667890606005
                      Encrypted:false
                      SSDEEP:1536:/pmuZctREC/rMcgEPJV+G57ThjEC0kzJP+V5Jp:xHczECTMpuDhjRVJGr
                      MD5:BEE134E1F23AFD3AE58191D265BB9070
                      SHA1:52178976E1B4405157042CD3A095BE6D7975609A
                      SHA-256:7F258CE17EA09F076A767A2D3CC0A06F3AEF07169BFD6A16265B8958758FD799
                      SHA-512:AEDFF7C45288A1CF69616B9887FC091F0913BEFA0EA7642C6A18DB50E4D6369CDC73730B8E6BE4FEDB4EB5EC28729AED39845B2E6F0C0685EBFF60106B54C1A9
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d....F$..........."..........>.................@..........................................`.......... .......................................&.......P..H'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\pUTm\SYSDM.CPL

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916695574658334
                      Encrypted:false
                      SSDEEP:12288:wZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:wZK6F7n5eRmDFJivohZFV
                      MD5:2BCE47B487FACF09BFF2BEB5E26AFDA3
                      SHA1:F33DF30FF826CB85DEFF4995C2F7BAD45D17DCE8
                      SHA-256:1ED380A7DAEDA7A0C94BFCC6A79975A816B2891BC08034C69703E8775CD6159D
                      SHA-512:2CE56DB7797C5D63AB34420CE7A2EA8FD6A3D043CEA649C0D2CDB3A4FE57B80F4067BEB6DC891A0FAB266919C83FB82CC81CAC8F93E0E8A7F49E800ACBD5C6C8
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):83968
                      Entropy (8bit):7.065147438048501
                      Encrypted:false
                      SSDEEP:1536:UfuZktREC/rMcgEPJV+G57ThjEC0kzJP+V5Jl:VkzECTMpuDhjRVJG3
                      MD5:82ED6250B9AA030DDC13DC075D2C16E3
                      SHA1:BC2BDCF474A7315232136B29291166E789D1F280
                      SHA-256:F321BB53BBC41C2CBFFABC56837F9FA723AA0C6ACB68A0C200CBC7427202DC9E
                      SHA-512:94D34293F070F6505D6922977AC1EF8E08DB0D92DCA8823BCF7376FD81B3AA80D2BD0FEF21FC74BCE08EEBF82DF09114A71792945DE4E3BB1FD0929538DF489B
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d.....o..........."..........>.................@....................................AS....`.......... .......................................&.......P..0'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...0'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\tivYqgA\InfDefaultInstall.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):13312
                      Entropy (8bit):4.871127662725052
                      Encrypted:false
                      SSDEEP:192:kXe0PT5V21py9AA/lvmBfXWqFwO6Wdz3ios9aW/GW:kXe5pgAMhAXWq6OFZcaW/GW
                      MD5:5FDB30927E9D4387D777443BF865EEFD
                      SHA1:E802BE85298183F050141EAEB87930657A8E07A6
                      SHA-256:C57CE112AB04B00CC7270B6D76F005FFB8E2ED3ADC6904CF5C5F184EE077FA32
                      SHA-512:776F5B5640C22373E641DE4C3C6F4C7DFF0CD39662108B8DFA070EE0A867B3A6401976BD2B78BC766D469105AF2E6E466C4140FFE40C49146BB6B09591676773
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............mo..mo..mo..j..mo..l..mo..k..mo..n..mo..mn..mo..g..mo.....mo..m..mo.Rich.mo.........PE..d......K.........."..........&......@..........@.............................p......?:....`.......... .......................................&.......P.......@...............`.. ....#..T............................ ...............!...............................text...@........................... ..`.rdata....... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....`.......2..............@..B................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.918885153527605
                      Encrypted:false
                      SSDEEP:12288:MZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:MZK6F7n5eRmDFJivohZFV
                      MD5:EC010E746CB3015368C614116974F7C3
                      SHA1:487E2034D56891ED4944FBB3C6A5B60A564D9242
                      SHA-256:BD3080241DD119ED49AD8018720A2DF840A2A5CB0B2805838FCB96D042F9C11E
                      SHA-512:91CA03EFAE7230D39C834899C7AFB5A5DA189FA064939929EC4E171B8790A780DB60331941CB32D8E1018D179A50ED8F7785EF86D462D7DDC23A90CB8B6E8E6B
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................]...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\xwE\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.917302008805113
                      Encrypted:false
                      SSDEEP:12288:8ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:8ZK6F7n5eRmDFJivohZFV
                      MD5:C6081FA40DD019E8A1A6BD108BDCEC7B
                      SHA1:ACC21C013C4BAD0D1E8898D378F228992FA08597
                      SHA-256:F747A95A6B92DA91FD9DF5471682F76B77E4A260327108C0D1D411C8FB13E9BD
                      SHA-512:6DE330AFB4410EC7B866FA060BAD61751310AB9CBAC171423CD849D5B3D6033A7D2273164CBB639100F43176ABF0E790186D175F720B7AD29D8769BE0175A8EE
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\xwE\wextract.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):143872
                      Entropy (8bit):6.942627183104786
                      Encrypted:false
                      SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
                      MD5:ED93B350C8EEFC442758A00BC3EEDE2D
                      SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
                      SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
                      SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1450
                      Entropy (8bit):7.3521104906654084
                      Encrypted:false
                      SSDEEP:24:UMveCU72gUAqtkT3uNuoDh8GQSkuFvZrOKTyEgloXExwlOkk7jAqteaAB5ca:UCez71UITgsHSjvrTyEgGwwOkk/yPB6a
                      MD5:E5517F1E7F0DB67CE997DCD63DA2131B
                      SHA1:2F9ADF9CBE58DAC2A2ED13536DF7BE47B6307AFE
                      SHA-256:5D393037E0DD30F76B36E7E64184FC1E891EE4B69CBECC61FD16FF2DFE24F2C3
                      SHA-512:B687E8413D0080FB20BD26AB56230AACD5CF42AD6B414FD47FE8C981DE53C81B4AED7026A6756AC8157F11D1F6EC9667BE9C9006C56D21DCC1481F508142EFEC
                      Malicious:false
                      Reputation:unknown
                      Preview:........................................user.....................RSA1.....................K)at.b.O;.u..%.. ....uO.....M(..6.Nt.7...+...F.p..@x............Q..k._....E3E.06J....@#.7?....x...../.dn..P$...Y.IWG.....................z..O..........d..G...,c.R.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ......z^.`....$4.......]...._$M............ ...}r.9...L...V."..Y\S.])..n.=).-.....I....`..9..W.pdhu..R.Y.WZ.(/5)..N.T.G6........R....vvz..0.yd..pr.52.v(..^.._..!..Sdjq0.,B....-T5..*..0.m.....p..\...>D....r.j.b].M*E\Fr..+c.7.n...b.....ta.t....A.PZ......j;`.m.$*...A|..2$..."...:..eS......;(;Y....5n./.}....qd..>.P..... `D.@&7H.J=8...3)n.....%............&........G.....yN{................g...N.....F.W.K.@..gS..c.U.V. p..5./.!..%3.X7......$.7........U.+yzpnx.l.....l.j .f....\b.q.>..+q$..u.U...(....PO;t.9.|...;&.8E.Y.c.&..@..i..p..L.....Ws;...................Z..JZM..I>.L.0.3),.3...+t.#../.+..j..^w.k..O...F(r|mh..5.....z:^Bk.z,..0...&.Pb..%

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):4.928559438186432
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:mpXUd364Rz.dll
                      File size:1421312
                      MD5:76a03b741a85be73b47b1a72cea1becb
                      SHA1:f453704ee0177d5771766870bc871e7c048a6c61
                      SHA256:7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
                      SHA512:86c59d8d2c2111175d541dd17ecc7b1ab89eb0e5400f2db21d70346af7871d2ac3008aca9ec762bbd7508b2c8ac9122111bfc83356c1d413bf1c693fbc74ec95
                      SSDEEP:12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
                      File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                      File Icon

                      Icon Hash:74f0e4ecccdce0e4

                      Static PE Info

                      General

                      Entrypoint:0x1400424b0
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [00070639h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFF2F2h]
                      dec esp
                      mov dword ptr [0007064Bh], eax
                      dec esp
                      mov dword ptr [00070654h], edi
                      dec esp
                      mov dword ptr [00070655h], esi
                      dec eax
                      xor eax, eax
                      dec eax
                      inc eax
                      dec eax
                      add ecx, eax
                      dec esp
                      mov dword ptr [00070655h], esp
                      dec eax
                      dec ecx
                      dec eax
                      mov dword ptr [00070653h], esi
                      dec eax
                      test eax, eax
                      je 00007F8D44EAC25Dh
                      dec eax
                      mov dword ptr [0007060Fh], esp
                      dec eax
                      mov dword ptr [00070600h], ebp
                      dec eax
                      mov dword ptr [00070649h], ebx
                      dec eax
                      mov dword ptr [0007063Ah], edi
                      dec eax
                      test eax, eax
                      je 00007F8D44EAC23Ch
                      dec esp
                      mov dword ptr [000705FEh], ecx
                      dec esp
                      mov dword ptr [0007060Fh], ebp
                      dec eax
                      mov dword ptr [000705D0h], edx
                      jmp ecx
                      dec eax
                      add edi, ecx
                      retn 0008h
                      ud2
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push esi
                      dec eax
                      sub esp, 00000080h
                      dec eax
                      mov dword ptr [esp+78h], 58225FC8h
                      mov dword ptr [esp+60h], 2DFAE652h
                      mov al, byte ptr [esp+77h]
                      mov dl, al
                      add dl, FFFFFF85h
                      mov byte ptr [esp+77h], dl
                      mov word ptr [esp+5Eh], 3327h
                      dec esp
                      mov eax, dword ptr [esp+78h]
                      inc esp
                      mov ecx, dword ptr [esp+64h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x15a0100x22b.kuh
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x430000x66fe70x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gsroye0x1480000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vcmr0x14a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kvjqnl0x14b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zlu0x14c0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nrcvk0x14d0000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pfz0x14e0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hxz0x1500000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .snjrs0x1520000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bffts0x1530000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gknvh0x1550000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mifiod0x1560000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .whmsy0x1570000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wtuzur0x1580000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lwtn0x1590000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kuh0x15a0000x23b0x1000False0.081298828125data1.12911235994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                      RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      ADVAPI32.dllGetServiceDisplayNameW
                      KERNEL32.dllLoadLibraryA, HeapUnlock

                      Exports

                      NameOrdinalAddress
                      GetFileVersionInfoA10x140005ff8
                      GetFileVersionInfoByHandle20x14003d2fc
                      GetFileVersionInfoExA30x140016048
                      GetFileVersionInfoExW40x14001f07c
                      GetFileVersionInfoSizeA50x140028014
                      GetFileVersionInfoSizeExA60x140004d40
                      GetFileVersionInfoSizeExW70x140042050
                      GetFileVersionInfoSizeW80x1400236bc
                      GetFileVersionInfoW90x14001dcf4
                      VerFindFileA100x140019c98
                      VerFindFileW110x1400083e0
                      VerInstallFileA120x140023dcc
                      VerInstallFileW130x1400301c4
                      VerLanguageNameA140x14001fea8
                      VerLanguageNameW150x14003dca4
                      VerQueryValueA160x14001eed0
                      VerQueryValueW170x14002bafc

                      Version Infos

                      DescriptionData
                      LegalCopyright Microsoft Corporation. All rights
                      InternalNamedpnhup
                      FileVersion1.56
                      CompanyNameMicrosoft C
                      ProductNameSysinternals Streams
                      ProductVersion6.1
                      FileDescriptionThai K
                      OriginalFilenamedpnhupnp.d
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      No network behavior found

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:1
                      Start time:16:12:12
                      Start date:23/03/2022
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll"
                      Imagebase:0x7ff7f06b0000
                      File size:140288 bytes
                      MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:3
                      Start time:16:12:12
                      Start date:23/03/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Imagebase:0x7ff7bb450000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:4
                      Start time:16:12:13
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:5
                      Start time:16:12:13
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:6
                      Start time:16:12:14
                      Start date:23/03/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f3b00000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:8
                      Start time:16:12:16
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:9
                      Start time:16:12:20
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:19
                      Start time:16:13:01
                      Start date:23/03/2022
                      Path:C:\Windows\System32\MDMAppInstaller.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\MDMAppInstaller.exe
                      Imagebase:0x7ff747020000
                      File size:145920 bytes
                      MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:20
                      Start time:16:13:04
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Imagebase:0x7ff77c190000
                      File size:145920 bytes
                      MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:22
                      Start time:16:13:15
                      Start date:23/03/2022
                      Path:C:\Windows\System32\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\iexpress.exe
                      Imagebase:0x7ff6614e0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:23
                      Start time:16:13:20
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Imagebase:0x7ff700cd0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      • Detection: 0%, Metadefender, Browse
                      • Detection: 0%, ReversingLabs

                      General

                      Target ID:24
                      Start time:16:13:32
                      Start date:23/03/2022
                      Path:C:\Windows\System32\wextract.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wextract.exe
                      Imagebase:0x7ff6349d0000
                      File size:143872 bytes
                      MD5 hash:ED93B350C8EEFC442758A00BC3EEDE2D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:25
                      Start time:16:13:34
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\xwE\wextract.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\xwE\wextract.exe
                      Imagebase:0x7ff78e550000
                      File size:143872 bytes
                      MD5 hash:ED93B350C8EEFC442758A00BC3EEDE2D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security

                      General

                      Target ID:28
                      Start time:16:13:45
                      Start date:23/03/2022
                      Path:C:\Windows\System32\SystemPropertiesAdvanced.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\SystemPropertiesAdvanced.exe
                      Imagebase:0x7ff6e4c60000
                      File size:83968 bytes
                      MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:16:13:47
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Imagebase:0x7ff773110000
                      File size:83968 bytes
                      MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security

                      General

                      Target ID:30
                      Start time:16:14:01
                      Start date:23/03/2022
                      Path:C:\Windows\System32\FileHistory.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\FileHistory.exe
                      Imagebase:0x7ff70be70000
                      File size:246784 bytes
                      MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:31
                      Start time:16:14:02
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Imagebase:0x7ff6f1240000
                      File size:246784 bytes
                      MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security

                      General

                      Target ID:32
                      Start time:16:14:05
                      Start date:23/03/2022
                      Path:C:\Windows\System32\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\iexpress.exe
                      Imagebase:0x7ff6614e0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:33
                      Start time:16:14:07
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Imagebase:0x7ff6ecf60000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, Author: Joe Security

                      General

                      Target ID:35
                      Start time:16:14:22
                      Start date:23/03/2022
                      Path:C:\Windows\System32\sppsvc.exe
                      Wow64 process (32bit):
                      Commandline:C:\Windows\system32\sppsvc.exe
                      Imagebase:
                      File size:4527680 bytes
                      MD5 hash:FEEC8055C5986182C717DD888000AEF6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:36
                      Start time:16:14:24
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Imagebase:0x7ff74eb10000
                      File size:4527680 bytes
                      MD5 hash:FEEC8055C5986182C717DD888000AEF6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      • Detection: 0%, Metadefender, Browse
                      • Detection: 0%, ReversingLabs

                      General

                      Target ID:39
                      Start time:16:14:45
                      Start date:23/03/2022
                      Path:C:\Windows\System32\SystemPropertiesComputerName.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\SystemPropertiesComputerName.exe
                      Imagebase:0x7ff7f9760000
                      File size:83968 bytes
                      MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:40
                      Start time:16:14:47
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Imagebase:0x7ff6726f0000
                      File size:83968 bytes
                      MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, Author: Joe Security

                      General

                      Target ID:41
                      Start time:16:15:03
                      Start date:23/03/2022
                      Path:C:\Windows\System32\InfDefaultInstall.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\InfDefaultInstall.exe
                      Imagebase:0x7ff64c2b0000
                      File size:13312 bytes
                      MD5 hash:5FDB30927E9D4387D777443BF865EEFD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      No disassembly