Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
drytex.dll

Overview

General Information

Sample Name:drytex.dll
Analysis ID:610526
MD5:b85405fc1d3a4473826d7ebd31111a50
SHA1:4b62c6e56be21a0dc8f285a23ca62a055a768956
SHA256:26af00a279ce082c2bb1db2cb50d2d590623e3f20e6c260d77ca77bf72b51797
Tags:dlldridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Registers a DLL
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7036 cmdline: loaddll64.exe "C:\Users\user\Desktop\drytex.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 7044 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 7052 cmdline: regsvr32.exe /s C:\Users\user\Desktop\drytex.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • phoneactivate.exe (PID: 6868 cmdline: C:\Windows\system32\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)
        • cmd.exe (PID: 7064 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • phoneactivate.exe (PID: 1988 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)
        • pwcreator.exe (PID: 1428 cmdline: C:\Windows\system32\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)
        • SppExtComObj.Exe (PID: 6320 cmdline: C:\Windows\system32\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)
        • cmd.exe (PID: 6028 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • phoneactivate.exe (PID: 1908 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)
        • dllhost.exe (PID: 5520 cmdline: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} MD5: 2528137C6745C4EADD87817A1909677E)
        • schtasks.exe (PID: 5872 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
          • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • phoneactivate.exe (PID: 2384 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7132 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5168 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              4.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                2.2.regsvr32.exe.140000000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  44.2.phoneactivate.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    6.2.rundll32.exe.140000000.0.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 4 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7044, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ProcessId: 7064, ProcessName: rundll32.exe
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Conqxrew
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 7064, TargetFilename: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7064, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7112, ProcessName: conhost.exe
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: drytex.dllVirustotal: Detection: 60%Perma Link
                      Source: drytex.dllReversingLabs: Detection: 76%
                      Source: drytex.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\Temp\Y1C20.tmpAvira: detection malicious, Label: HEUR/AGEN.1207422
                      Source: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmpAvira: detection malicious, Label: HEUR/AGEN.1207422
                      Source: drytex.dllJoe Sandbox ML: detected
                      Source: drytex.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
                      Source: Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
                      Source: Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
                      Source: Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140049724 FindFirstFileExW,0_2_0000000140049724
                      Source: phoneactivate.exeString found in binary or memory: http://schemas.mic

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 7.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.regsvr32.exe.140000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 44.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.269681895.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.248898952.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.337765155.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.248725971.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Source: SppExtComObj.Exe.30.drStatic PE information: section name: ?g_Encry
                      Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\system32\xs2t3dJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005284C0_2_000000014005284C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048A4C0_2_0000000140048A4C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400403700_2_0000000140040370
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400343E80_2_00000001400343E8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026C740_2_0000000140026C74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F4D00_2_000000014004F4D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140049CE80_2_0000000140049CE8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004357C0_2_000000014004357C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003DEEC0_2_000000014003DEEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400367780_2_0000000140036778
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400220040_2_0000000140022004
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400600140_2_0000000140060014
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400240280_2_0000000140024028
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002782C0_2_000000014002782C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E0300_2_000000014002E030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005582B0_2_000000014005582B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400340440_2_0000000140034044
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000F8480_2_000000014000F848
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003D8780_2_000000014003D878
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400200940_2_0000000140020094
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F8A40_2_000000014002F8A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400280AC0_2_00000001400280AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F0AC0_2_000000014004F0AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400410B40_2_00000001400410B4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400150E40_2_00000001400150E4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400661000_2_0000000140066100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400251000_2_0000000140025100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004D9140_2_000000014004D914
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400331240_2_0000000140033124
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400321280_2_0000000140032128
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400259300_2_0000000140025930
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400059500_2_0000000140005950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004E9540_2_000000014004E954
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400011580_2_0000000140001158
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003796C0_2_000000014003796C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400499800_2_0000000140049980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400399900_2_0000000140039990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F1980_2_000000014002F198
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A40_2_00000001400389A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400099AC0_2_00000001400099AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400659F00_2_00000001400659F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA1C0_2_000000014002EA1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140055A4D0_2_0000000140055A4D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005A24C0_2_000000014005A24C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001B2500_2_000000014001B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140001A780_2_0000000140001A78
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400072840_2_0000000140007284
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400612830_2_0000000140061283
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140061A900_2_0000000140061A90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400642A00_2_00000001400642A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DAA40_2_000000014002DAA4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140043AC00_2_0000000140043AC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019AC40_2_0000000140019AC4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400512E00_2_00000001400512E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400162E00_2_00000001400162E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002BAEC0_2_000000014002BAEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006AEC0_2_0000000140006AEC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400633240_2_0000000140063324
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140013B640_2_0000000140013B64
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400553640_2_0000000140055364
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400193780_2_0000000140019378
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140060B8C0_2_0000000140060B8C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001A3940_2_000000014001A394
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140008B940_2_0000000140008B94
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BBBC0_2_000000014004BBBC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140021BD80_2_0000000140021BD8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400243E00_2_00000001400243E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B3F30_2_000000014002B3F3
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140004C0C0_2_0000000140004C0C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002B4290_2_000000014002B429
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400124740_2_0000000140012474
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000AC740_2_000000014000AC74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400384780_2_0000000140038478
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004FC740_2_000000014004FC74
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002747C0_2_000000014002747C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A4A40_2_000000014002A4A4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001B4AC0_2_000000014001B4AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004A4B00_2_000000014004A4B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063CB40_2_0000000140063CB4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F4B80_2_000000014002F4B8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140003CC40_2_0000000140003CC4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000ECD00_2_000000014000ECD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017CD40_2_0000000140017CD4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140044CD80_2_0000000140044CD8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004ECF80_2_000000014004ECF8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400425040_2_0000000140042504
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400265340_2_0000000140026534
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002AD380_2_000000014002AD38
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D500_2_0000000140022D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400295500_2_0000000140029550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140012D8C0_2_0000000140012D8C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140051D900_2_0000000140051D90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140006D940_2_0000000140006D94
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400515A00_2_00000001400515A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400285AC0_2_00000001400285AC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DCC0_2_0000000140031DCC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400365D00_2_00000001400365D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205D80_2_00000001400205D8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140011DE40_2_0000000140011DE4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004D5EC0_2_000000014004D5EC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A60C0_2_000000014003A60C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140021E1C0_2_0000000140021E1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023E1C0_2_0000000140023E1C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004E6280_2_000000014004E628
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004CE2C0_2_000000014004CE2C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400186380_2_0000000140018638
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140004E380_2_0000000140004E38
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400146440_2_0000000140014644
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EE480_2_000000014002EE48
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004A6600_2_000000014004A660
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400536700_2_0000000140053670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AE700_2_000000014003AE70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400316700_2_0000000140031670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D6940_2_000000014002D694
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036E980_2_0000000140036E98
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000D69C0_2_000000014000D69C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140050EA80_2_0000000140050EA8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140053EC00_2_0000000140053EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001BEC80_2_000000014001BEC8
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400466C40_2_00000001400466C4
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EF0C0_2_000000014004EF0C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017F400_2_0000000140017F40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001CF400_2_000000014001CF40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140041F3C0_2_0000000140041F3C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400327500_2_0000000140032750
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000578C0_2_000000014000578C
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400137A00_2_00000001400137A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400557A30_2_00000001400557A3
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001C7CC0_2_000000014001C7CC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400027DC0_2_00000001400027DC
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140030FE00_2_0000000140030FE0
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438536423_2_00007FF744385364
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438D57023_2_00007FF74438D570
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438692023_2_00007FF744386920
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF7443891DC23_2_00007FF7443891DC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438599823_2_00007FF744385998
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438B9B423_2_00007FF74438B9B4
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF7443883BC23_2_00007FF7443883BC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF7443897D423_2_00007FF7443897D4
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438805823_2_00007FF744388058
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438A09423_2_00007FF74438A094
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438D22023_2_00007FF74438D220
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438CE2823_2_00007FF74438CE28
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF7443884DC23_2_00007FF7443884DC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF744385EE023_2_00007FF744385EE0
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF7443812F823_2_00007FF7443812F8
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438730C23_2_00007FF74438730C
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438536436_2_00007FF744385364
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438D57036_2_00007FF74438D570
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438692036_2_00007FF744386920
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF7443891DC36_2_00007FF7443891DC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438599836_2_00007FF744385998
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438B9B436_2_00007FF74438B9B4
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF7443883BC36_2_00007FF7443883BC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF7443897D436_2_00007FF7443897D4
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438805836_2_00007FF744388058
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438A09436_2_00007FF74438A094
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438D22036_2_00007FF74438D220
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438CE2836_2_00007FF74438CE28
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF7443884DC36_2_00007FF7443884DC
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF744385EE036_2_00007FF744385EE0
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF7443812F836_2_00007FF7443812F8
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_00007FF74438730C36_2_00007FF74438730C
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: String function: 00007FF744386104 appears 52 times
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005284C NtQuerySystemInformation,0_2_000000014005284C
                      Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
                      Source: drytex.dllStatic PE information: Number of sections : 57 > 10
                      Source: Y1C20.tmp.5.drStatic PE information: Number of sections : 58 > 10
                      Source: vmqDDCE.tmp.5.drStatic PE information: Number of sections : 58 > 10
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe 5D4F713CFC98E7148B67D063193D93BFE29F8329705A03690590633FADE32EE5
                      Source: drytex.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Y1C20.tmp.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vmqDDCE.tmp.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SppExtComObj.Exe.30.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: drytex.dllVirustotal: Detection: 60%
                      Source: drytex.dllReversingLabs: Detection: 76%
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\drytex.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dllJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContentJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmdJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.ExeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}Jump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@40/10@0/0
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF74438730C CoCreateInstance,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,23_2_00007FF74438730C
                      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeMutant created: \Sessions\1\BaseNamedObjects\{1d67e0a9-ab25-2d3a-f358-7073a8bb1c60}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeMutant created: \Sessions\1\BaseNamedObjects\{4ae5d0f4-7b10-3c35-b894-84b2027938b4}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_00007FF744384794 FindResourceExW,GetLastError,LoadResource,LockResource,23_2_00007FF744384794
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: drytex.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: drytex.dllStatic file information: File size 1253376 > 1048576
                      Source: drytex.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
                      Source: Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
                      Source: Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
                      Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
                      Source: Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000020ADDE83055 push rbx; retf 0_2_0000020ADDE8305A
                      Source: C:\Windows\System32\regsvr32.exeCode function: 2_2_02873055 push rbx; retf 2_2_0287305A
                      Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000002639A343055 push rbx; retf 3_2_000002639A34305A
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001FFD9983055 push rbx; retf 4_2_000001FFD998305A
                      Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001774A0A3055 push rbx; retf 6_2_000001774A0A305A
                      Source: C:\Windows\System32\rundll32.exeCode function: 7_2_000001AC7B973055 push rbx; retf 7_2_000001AC7B97305A
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 23_2_000001C248203055 push rbx; retf 23_2_000001C24820305A
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 36_2_0000021222523055 push rbx; retf 36_2_000002122252305A
                      Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exeCode function: 44_2_0000025AA5963055 push rbx; retf 44_2_0000025AA596305A
                      Source: drytex.dllStatic PE information: section name: .crt1
                      Source: drytex.dllStatic PE information: section name: qwTG
                      Source: drytex.dllStatic PE information: section name: .lqen
                      Source: drytex.dllStatic PE information: section name: .vqb
                      Source: drytex.dllStatic PE information: section name: .gjd
                      Source: drytex.dllStatic PE information: section name: .wqhqlp
                      Source: drytex.dllStatic PE information: section name: .nulizw
                      Source: drytex.dllStatic PE information: sec