Windows Analysis Report
elBAfme5gQ

Overview

General Information

Sample Name: elBAfme5gQ (renamed file extension from none to dll)
Analysis ID: 595323
MD5: ca7c6f265e4bc09e6d9d0b2b6234e8b3
SHA1: 1720aadb4965df64ee40d32957ee6080500639b2
SHA256: a8f566b8d2d9f9a418211039cb76552d460f83195d519a89313a880ead9bd4a4
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: elBAfme5gQ.dll Virustotal: Detection: 62% Perma Link
Source: elBAfme5gQ.dll Metadefender: Detection: 65% Perma Link
Source: elBAfme5gQ.dll ReversingLabs: Detection: 88%
Source: elBAfme5gQ.dll Avira: detected
Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\daH0n9\credui.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: elBAfme5gQ.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\daH0n9\credui.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073F500 CryptProtectData,GetLastError,RegSetValueExW, 25_2_00007FF7E073F500
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073F5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree, 25_2_00007FF7E073F5C8
Source: elBAfme5gQ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
Source: Binary string: Wfs.pdb source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6471ED10 FindFirstFileExW, 0_2_00007FFC6471ED10
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4464518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError, 18_2_00007FF7B4464518
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669CED10 FindFirstFileExW, 18_2_00007FFC669CED10
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6697ED10 FindFirstFileExW, 21_2_00007FFC6697ED10
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07071B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW, 25_2_00007FF7E07071B0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07389BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose, 25_2_00007FF7E07389BC
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0705B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW, 25_2_00007FF7E0705B40
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07230D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395, 25_2_00007FF7E07230D8
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06FF0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose, 25_2_00007FF7E06FF0AC

E-Banking Fraud

barindex
Source: Yara match File source: 18.2.PresentationSettings.exe.7ffc66970000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.WFS.exe.7ffc66970000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.DmNotificationBroker.exe.7ffc67880000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.DmNotificationBroker.exe.7ffc66920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000002.455715001.00007FFC66921000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.382683427.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.529541082.00007FFC67881000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.279312817.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265252224.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285761236.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.489503728.00007FFC66971000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.417833376.00007FFC66971000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.271180425.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472D520 0_2_00007FFC6472D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64727650 0_2_00007FFC64727650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6471DDC0 0_2_00007FFC6471DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC647097D0 0_2_00007FFC647097D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F5020 0_2_00007FFC646F5020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64713150 0_2_00007FFC64713150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E7880 0_2_00007FFC646E7880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F59F0 0_2_00007FFC646F59F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6470CA50 0_2_00007FFC6470CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646FAA70 0_2_00007FFC646FAA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6470A2C0 0_2_00007FFC6470A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F3CF0 0_2_00007FFC646F3CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D3CD0 0_2_00007FFC646D3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F5CD0 0_2_00007FFC646F5CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EAC80 0_2_00007FFC646EAC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D9D70 0_2_00007FFC646D9D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E48B 0_2_00007FFC6472E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472A490 0_2_00007FFC6472A490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E494 0_2_00007FFC6472E494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E49D 0_2_00007FFC6472E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64722CA0 0_2_00007FFC64722CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E4A6 0_2_00007FFC6472E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E3D50 0_2_00007FFC646E3D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646ED550 0_2_00007FFC646ED550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E4AD 0_2_00007FFC6472E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E4B6 0_2_00007FFC6472E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F1D30 0_2_00007FFC646F1D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F0D10 0_2_00007FFC646F0D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D65E0 0_2_00007FFC646D65E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D95C0 0_2_00007FFC646D95C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F25C0 0_2_00007FFC646F25C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64710650 0_2_00007FFC64710650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646CC5A0 0_2_00007FFC646CC5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D8670 0_2_00007FFC646D8670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646CDE20 0_2_00007FFC646CDE20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C1620 0_2_00007FFC646C1620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E3610 0_2_00007FFC646E3610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F2E10 0_2_00007FFC646F2E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64720F30 0_2_00007FFC64720F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EF6B0 0_2_00007FFC646EF6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F06A0 0_2_00007FFC646F06A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64725760 0_2_00007FFC64725760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C6E90 0_2_00007FFC646C6E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6473BF6F 0_2_00007FFC6473BF6F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64720770 0_2_00007FFC64720770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C7E80 0_2_00007FFC646C7E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646DE770 0_2_00007FFC646DE770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E2F50 0_2_00007FFC646E2F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472A6B0 0_2_00007FFC6472A6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64727EC0 0_2_00007FFC64727EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E872B 0_2_00007FFC646E872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E6FE0 0_2_00007FFC646E6FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646DA7D0 0_2_00007FFC646DA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D8FC0 0_2_00007FFC646D8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64715840 0_2_00007FFC64715840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EE7B0 0_2_00007FFC646EE7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C6790 0_2_00007FFC646C6790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6470F870 0_2_00007FFC6470F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472C780 0_2_00007FFC6472C780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6473EF80 0_2_00007FFC6473EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646FF870 0_2_00007FFC646FF870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6473B7A0 0_2_00007FFC6473B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E5050 0_2_00007FFC646E5050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EC030 0_2_00007FFC646EC030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F0020 0_2_00007FFC646F0020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C1010 0_2_00007FFC646C1010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64734FF0 0_2_00007FFC64734FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E4800 0_2_00007FFC646E4800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C18D0 0_2_00007FFC646C18D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D08B0 0_2_00007FFC646D08B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64726950 0_2_00007FFC64726950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472B960 0_2_00007FFC6472B960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646DD890 0_2_00007FFC646DD890
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E4140 0_2_00007FFC646E4140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F6130 0_2_00007FFC646F6130
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646DE110 0_2_00007FFC646DE110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E3910 0_2_00007FFC646E3910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646CB100 0_2_00007FFC646CB100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EF1F0 0_2_00007FFC646EF1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F91F0 0_2_00007FFC646F91F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F89F0 0_2_00007FFC646F89F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F21D0 0_2_00007FFC646F21D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E69C0 0_2_00007FFC646E69C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646DE9B0 0_2_00007FFC646DE9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E11B0 0_2_00007FFC646E11B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EE9A0 0_2_00007FFC646EE9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472B260 0_2_00007FFC6472B260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F9990 0_2_00007FFC646F9990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C2980 0_2_00007FFC646C2980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646FB250 0_2_00007FFC646FB250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C7A40 0_2_00007FFC646C7A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E82E0 0_2_00007FFC646E82E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646FBAE0 0_2_00007FFC646FBAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E92C0 0_2_00007FFC646E92C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64725B50 0_2_00007FFC64725B50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EDAA0 0_2_00007FFC646EDAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F4360 0_2_00007FFC646F4360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC647282A0 0_2_00007FFC647282A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472AAA0 0_2_00007FFC6472AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C5350 0_2_00007FFC646C5350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646E3340 0_2_00007FFC646E3340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D8340 0_2_00007FFC646D8340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6471F2C0 0_2_00007FFC6471F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F1B30 0_2_00007FFC646F1B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646CBB20 0_2_00007FFC646CBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64722AE0 0_2_00007FFC64722AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646EA310 0_2_00007FFC646EA310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64727AF0 0_2_00007FFC64727AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646F0300 0_2_00007FFC646F0300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472E400 0_2_00007FFC6472E400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D23F0 0_2_00007FFC646D23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64729410 0_2_00007FFC64729410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64724390 0_2_00007FFC64724390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64714BC0 0_2_00007FFC64714BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D5420 0_2_00007FFC646D5420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646C5C20 0_2_00007FFC646C5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC646D7410 0_2_00007FFC646D7410
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4464374 18_2_00007FF7B4464374
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4452D90 18_2_00007FF7B4452D90
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4453278 18_2_00007FF7B4453278
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4463034 18_2_00007FF7B4463034
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B445441C 18_2_00007FF7B445441C
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B446354C 18_2_00007FF7B446354C
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4463CDC 18_2_00007FF7B4463CDC
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B44536DC 18_2_00007FF7B44536DC
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B445649C 18_2_00007FF7B445649C
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B44556A4 18_2_00007FF7B44556A4
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B44639C8 18_2_00007FF7B44639C8
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A5020 18_2_00007FFC669A5020
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669B97D0 18_2_00007FFC669B97D0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DD520 18_2_00007FFC669DD520
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A5CD0 18_2_00007FFC669A5CD0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D7650 18_2_00007FFC669D7650
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669CDDC0 18_2_00007FFC669CDDC0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669ABAE0 18_2_00007FFC669ABAE0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669BA2C0 18_2_00007FFC669BA2C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C3150 18_2_00007FFC669C3150
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66997880 18_2_00007FFC66997880
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669AAA70 18_2_00007FFC669AAA70
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669BCA50 18_2_00007FFC669BCA50
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A59F0 18_2_00007FFC669A59F0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699872B 18_2_00007FFC6699872B
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D0F30 18_2_00007FFC669D0F30
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D5760 18_2_00007FFC669D5760
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D0770 18_2_00007FFC669D0770
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6698E770 18_2_00007FFC6698E770
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EBF6F 18_2_00007FFC669EBF6F
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66992F50 18_2_00007FFC66992F50
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A06A0 18_2_00007FFC669A06A0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DA6B0 18_2_00007FFC669DA6B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699F6B0 18_2_00007FFC6699F6B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66977E80 18_2_00007FFC66977E80
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66976E90 18_2_00007FFC66976E90
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D7EC0 18_2_00007FFC669D7EC0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669F0820 18_2_00007FFC669F0820
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A0020 18_2_00007FFC669A0020
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699C030 18_2_00007FFC6699C030
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66994800 18_2_00007FFC66994800
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66971010 18_2_00007FFC66971010
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669AF870 18_2_00007FFC669AF870
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669BF870 18_2_00007FFC669BF870
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C5840 18_2_00007FFC669C5840
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66995050 18_2_00007FFC66995050
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EB7A0 18_2_00007FFC669EB7A0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699E7B0 18_2_00007FFC6699E7B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DC780 18_2_00007FFC669DC780
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EEF80 18_2_00007FFC669EEF80
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66976790 18_2_00007FFC66976790
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66996FE0 18_2_00007FFC66996FE0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669E4FF0 18_2_00007FFC669E4FF0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66988FC0 18_2_00007FFC66988FC0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6698A7D0 18_2_00007FFC6698A7D0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C8D20 18_2_00007FFC669C8D20
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A1D30 18_2_00007FFC669A1D30
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A0D10 18_2_00007FFC669A0D10
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66989D70 18_2_00007FFC66989D70
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66993D50 18_2_00007FFC66993D50
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699D550 18_2_00007FFC6699D550
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE4A6 18_2_00007FFC669DE4A6
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D2CA0 18_2_00007FFC669D2CA0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE49D 18_2_00007FFC669DE49D
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE4B6 18_2_00007FFC669DE4B6
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE4AD 18_2_00007FFC669DE4AD
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE48B 18_2_00007FFC669DE48B
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699AC80 18_2_00007FFC6699AC80
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE494 18_2_00007FFC669DE494
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DA490 18_2_00007FFC669DA490
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A3CF0 18_2_00007FFC669A3CF0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66983CD0 18_2_00007FFC66983CD0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66971620 18_2_00007FFC66971620
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6697DE20 18_2_00007FFC6697DE20
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66993610 18_2_00007FFC66993610
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A2E10 18_2_00007FFC669A2E10
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66988670 18_2_00007FFC66988670
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C0650 18_2_00007FFC669C0650
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6697C5A0 18_2_00007FFC6697C5A0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EC590 18_2_00007FFC669EC590
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669865E0 18_2_00007FFC669865E0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669895C0 18_2_00007FFC669895C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A25C0 18_2_00007FFC669A25C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6697BB20 18_2_00007FFC6697BB20
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A1B30 18_2_00007FFC669A1B30
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A0300 18_2_00007FFC669A0300
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699A310 18_2_00007FFC6699A310
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A4360 18_2_00007FFC669A4360
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66993340 18_2_00007FFC66993340
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66988340 18_2_00007FFC66988340
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66975350 18_2_00007FFC66975350
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D5B50 18_2_00007FFC669D5B50
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D82A0 18_2_00007FFC669D82A0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DAAA0 18_2_00007FFC669DAAA0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699DAA0 18_2_00007FFC6699DAA0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D2AE0 18_2_00007FFC669D2AE0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669982E0 18_2_00007FFC669982E0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D7AF0 18_2_00007FFC669D7AF0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669CF2C0 18_2_00007FFC669CF2C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669992C0 18_2_00007FFC669992C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C22C0 18_2_00007FFC669C22C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66975C20 18_2_00007FFC66975C20
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66985420 18_2_00007FFC66985420
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DE400 18_2_00007FFC669DE400
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EFC00 18_2_00007FFC669EFC00
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66987410 18_2_00007FFC66987410
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D9410 18_2_00007FFC669D9410
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D4390 18_2_00007FFC669D4390
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669823F0 18_2_00007FFC669823F0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669C4BC0 18_2_00007FFC669C4BC0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A6130 18_2_00007FFC669A6130
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6697B100 18_2_00007FFC6697B100
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6698E110 18_2_00007FFC6698E110
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66993910 18_2_00007FFC66993910
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DB960 18_2_00007FFC669DB960
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66994140 18_2_00007FFC66994140
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669D6950 18_2_00007FFC669D6950
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669808B0 18_2_00007FFC669808B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EC8B1 18_2_00007FFC669EC8B1
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6698D890 18_2_00007FFC6698D890
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669EC0EB 18_2_00007FFC669EC0EB
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669718D0 18_2_00007FFC669718D0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DB260 18_2_00007FFC669DB260
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66977A40 18_2_00007FFC66977A40
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669AB250 18_2_00007FFC669AB250
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699E9A0 18_2_00007FFC6699E9A0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6698E9B0 18_2_00007FFC6698E9B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669911B0 18_2_00007FFC669911B0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66972980 18_2_00007FFC66972980
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A9990 18_2_00007FFC669A9990
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC6699F1F0 18_2_00007FFC6699F1F0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A91F0 18_2_00007FFC669A91F0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A89F0 18_2_00007FFC669A89F0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669969C0 18_2_00007FFC669969C0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A21D0 18_2_00007FFC669A21D0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66955020 21_2_00007FFC66955020
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669697D0 21_2_00007FFC669697D0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698D520 21_2_00007FFC6698D520
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66955CD0 21_2_00007FFC66955CD0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66987650 21_2_00007FFC66987650
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6697DDC0 21_2_00007FFC6697DDC0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695BAE0 21_2_00007FFC6695BAE0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6696A2C0 21_2_00007FFC6696A2C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66973150 21_2_00007FFC66973150
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66947880 21_2_00007FFC66947880
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695AA70 21_2_00007FFC6695AA70
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6696CA50 21_2_00007FFC6696CA50
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669559F0 21_2_00007FFC669559F0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694872B 21_2_00007FFC6694872B
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66980F30 21_2_00007FFC66980F30
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66985760 21_2_00007FFC66985760
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66980770 21_2_00007FFC66980770
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6693E770 21_2_00007FFC6693E770
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699BF6F 21_2_00007FFC6699BF6F
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66942F50 21_2_00007FFC66942F50
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669506A0 21_2_00007FFC669506A0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694F6B0 21_2_00007FFC6694F6B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698A6B0 21_2_00007FFC6698A6B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66927E80 21_2_00007FFC66927E80
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66926E90 21_2_00007FFC66926E90
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66987EC0 21_2_00007FFC66987EC0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66950020 21_2_00007FFC66950020
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669A0820 21_2_00007FFC669A0820
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694C030 21_2_00007FFC6694C030
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66944800 21_2_00007FFC66944800
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66921010 21_2_00007FFC66921010
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695F870 21_2_00007FFC6695F870
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6696F870 21_2_00007FFC6696F870
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66975840 21_2_00007FFC66975840
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66945050 21_2_00007FFC66945050
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699B7A0 21_2_00007FFC6699B7A0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694E7B0 21_2_00007FFC6694E7B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698C780 21_2_00007FFC6698C780
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699EF80 21_2_00007FFC6699EF80
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66926790 21_2_00007FFC66926790
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66946FE0 21_2_00007FFC66946FE0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66994FF0 21_2_00007FFC66994FF0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66938FC0 21_2_00007FFC66938FC0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6693A7D0 21_2_00007FFC6693A7D0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66978D20 21_2_00007FFC66978D20
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66951D30 21_2_00007FFC66951D30
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66950D10 21_2_00007FFC66950D10
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66939D70 21_2_00007FFC66939D70
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694D550 21_2_00007FFC6694D550
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66943D50 21_2_00007FFC66943D50
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E4A6 21_2_00007FFC6698E4A6
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66982CA0 21_2_00007FFC66982CA0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E49D 21_2_00007FFC6698E49D
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E4B6 21_2_00007FFC6698E4B6
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E4AD 21_2_00007FFC6698E4AD
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694AC80 21_2_00007FFC6694AC80
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E48B 21_2_00007FFC6698E48B
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E494 21_2_00007FFC6698E494
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698A490 21_2_00007FFC6698A490
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66953CF0 21_2_00007FFC66953CF0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66933CD0 21_2_00007FFC66933CD0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66921620 21_2_00007FFC66921620
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6692DE20 21_2_00007FFC6692DE20
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66952E10 21_2_00007FFC66952E10
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66943610 21_2_00007FFC66943610
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66938670 21_2_00007FFC66938670
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66970650 21_2_00007FFC66970650
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6692C5A0 21_2_00007FFC6692C5A0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699C590 21_2_00007FFC6699C590
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669365E0 21_2_00007FFC669365E0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669525C0 21_2_00007FFC669525C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669395C0 21_2_00007FFC669395C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6692BB20 21_2_00007FFC6692BB20
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66951B30 21_2_00007FFC66951B30
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66950300 21_2_00007FFC66950300
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694A310 21_2_00007FFC6694A310
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66954360 21_2_00007FFC66954360
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66943340 21_2_00007FFC66943340
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66938340 21_2_00007FFC66938340
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66985B50 21_2_00007FFC66985B50
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66925350 21_2_00007FFC66925350
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694DAA0 21_2_00007FFC6694DAA0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669882A0 21_2_00007FFC669882A0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698AAA0 21_2_00007FFC6698AAA0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669482E0 21_2_00007FFC669482E0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66982AE0 21_2_00007FFC66982AE0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66987AF0 21_2_00007FFC66987AF0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669492C0 21_2_00007FFC669492C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669722C0 21_2_00007FFC669722C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6697F2C0 21_2_00007FFC6697F2C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66925C20 21_2_00007FFC66925C20
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66935420 21_2_00007FFC66935420
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698E400 21_2_00007FFC6698E400
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699FC00 21_2_00007FFC6699FC00
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66937410 21_2_00007FFC66937410
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66989410 21_2_00007FFC66989410
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66984390 21_2_00007FFC66984390
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669323F0 21_2_00007FFC669323F0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66974BC0 21_2_00007FFC66974BC0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66956130 21_2_00007FFC66956130
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6692B100 21_2_00007FFC6692B100
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6693E110 21_2_00007FFC6693E110
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66943910 21_2_00007FFC66943910
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698B960 21_2_00007FFC6698B960
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66944140 21_2_00007FFC66944140
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66986950 21_2_00007FFC66986950
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669308B0 21_2_00007FFC669308B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699C8B1 21_2_00007FFC6699C8B1
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6693D890 21_2_00007FFC6693D890
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699C0EB 21_2_00007FFC6699C0EB
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669218D0 21_2_00007FFC669218D0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698B260 21_2_00007FFC6698B260
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66927A40 21_2_00007FFC66927A40
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695B250 21_2_00007FFC6695B250
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694E9A0 21_2_00007FFC6694E9A0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6693E9B0 21_2_00007FFC6693E9B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669411B0 21_2_00007FFC669411B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66922980 21_2_00007FFC66922980
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66959990 21_2_00007FFC66959990
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6694F1F0 21_2_00007FFC6694F1F0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669591F0 21_2_00007FFC669591F0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669589F0 21_2_00007FFC669589F0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669469C0 21_2_00007FFC669469C0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC669521D0 21_2_00007FFC669521D0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073A1B0 25_2_00007FF7E073A1B0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0736180 25_2_00007FF7E0736180
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F3258 25_2_00007FF7E06F3258
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F9250 25_2_00007FF7E06F9250
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E071B3A8 25_2_00007FF7E071B3A8
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073B410 25_2_00007FF7E073B410
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072D320 25_2_00007FF7E072D320
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072A380 25_2_00007FF7E072A380
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072E4C0 25_2_00007FF7E072E4C0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07354E0 25_2_00007FF7E07354E0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E071541C 25_2_00007FF7E071541C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06FC4F8 25_2_00007FF7E06FC4F8
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0752440 25_2_00007FF7E0752440
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07415BC 25_2_00007FF7E07415BC
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072F5D0 25_2_00007FF7E072F5D0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F85B0 25_2_00007FF7E06F85B0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0730630 25_2_00007FF7E0730630
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06FB6C4 25_2_00007FF7E06FB6C4
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F5738 25_2_00007FF7E06F5738
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E071F71C 25_2_00007FF7E071F71C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07318CC 25_2_00007FF7E07318CC
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073B904 25_2_00007FF7E073B904
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E071E840 25_2_00007FF7E071E840
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06FC974 25_2_00007FF7E06FC974
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073A9E0 25_2_00007FF7E073A9E0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0713940 25_2_00007FF7E0713940
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07019D0 25_2_00007FF7E07019D0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0738AB0 25_2_00007FF7E0738AB0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F3A30 25_2_00007FF7E06F3A30
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0707AF0 25_2_00007FF7E0707AF0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0736C00 25_2_00007FF7E0736C00
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073FC0C 25_2_00007FF7E073FC0C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0735C10 25_2_00007FF7E0735C10
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072AB1C 25_2_00007FF7E072AB1C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072FB30 25_2_00007FF7E072FB30
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0752B6C 25_2_00007FF7E0752B6C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0710B80 25_2_00007FF7E0710B80
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F4CD4 25_2_00007FF7E06F4CD4
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F3A30 25_2_00007FF7E06F3A30
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0733E1C 25_2_00007FF7E0733E1C
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0736E50 25_2_00007FF7E0736E50
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0751F60 25_2_00007FF7E0751F60
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073B0DC 25_2_00007FF7E073B0DC
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E072C060 25_2_00007FF7E072C060
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: String function: 00007FF7E06F38C8 appears 261 times
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6472D520 NtQuerySystemInformation,RtlAllocateHeap, 0_2_00007FFC6472D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64707770 NtClose, 0_2_00007FFC64707770
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669B7770 NtClose, 18_2_00007FFC669B7770
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC66995F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 18_2_00007FFC66995F40
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A8060 NtReadVirtualMemory, 18_2_00007FFC669A8060
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669DD520 NtQuerySystemInformation, 18_2_00007FFC669DD520
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669A5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 18_2_00007FFC669A5CD0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669AC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 18_2_00007FFC669AC4D0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669ACE20 NtDuplicateObject,NtClose, 18_2_00007FFC669ACE20
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669ABAE0 NtReadVirtualMemory,RtlQueueApcWow64Thread, 18_2_00007FFC669ABAE0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669BF150 NtDelayExecution, 18_2_00007FFC669BF150
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669AAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 18_2_00007FFC669AAA70
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66967770 NtClose, 21_2_00007FFC66967770
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66945F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 21_2_00007FFC66945F40
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6698D520 NtQuerySystemInformation,RtlAllocateHeap, 21_2_00007FFC6698D520
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC66955CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 21_2_00007FFC66955CD0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 21_2_00007FFC6695C4D0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695BAE0 NtReadVirtualMemory, 21_2_00007FFC6695BAE0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6695AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 21_2_00007FFC6695AA70
Source: DmNotificationBroker.exe.4.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: DmNotificationBroker.exe0.4.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: elBAfme5gQ.dll Binary or memory string: OriginalFilenamedpnhupnp.dJ vs elBAfme5gQ.dll
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PresentationSettings.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WFS.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe Section loaded: kernel34.dll Jump to behavior
Source: elBAfme5gQ.dll Static PE information: Number of sections : 70 > 10
Source: DUI70.dll0.4.dr Static PE information: Number of sections : 71 > 10
Source: DUI70.dll.4.dr Static PE information: Number of sections : 71 > 10
Source: WINMM.dll.4.dr Static PE information: Number of sections : 71 > 10
Source: credui.dll.4.dr Static PE information: Number of sections : 71 > 10
Source: elBAfme5gQ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: credui.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: elBAfme5gQ.dll Virustotal: Detection: 62%
Source: elBAfme5gQ.dll Metadefender: Detection: 65%
Source: elBAfme5gQ.dll ReversingLabs: Detection: 88%
Source: elBAfme5gQ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\elBAfme5gQ.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\daH0n9\WFS.exe C:\Users\user\AppData\Local\daH0n9\WFS.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\daH0n9\WFS.exe C:\Users\user\AppData\Local\daH0n9\WFS.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@31/9@0/0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4461D34 CoCreateInstance,SysAllocString,SysFreeString, 18_2_00007FF7B4461D34
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E071541C SendDlgItemMessageW,memset,memset,LoadStringW,FormatMessageW,SetDlgItemTextW,GetLastError,GetLastError,PeekMessageW,TranslateMessage,DispatchMessageW,#5065,#5065,PeekMessageW, 25_2_00007FF7E071541C
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669ACB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First, 18_2_00007FFC669ACB00
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\{e424c4a6-fba6-038b-8c68-1fb473e55e3e}
Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\{63e47e3b-1857-05fa-2873-230b4c914f4e}
Source: PresentationSettings.exe String found in binary or memory: /stop
Source: PresentationSettings.exe String found in binary or memory: /stop
Source: elBAfme5gQ.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: elBAfme5gQ.dll Static file information: File size 1421312 > 1048576
Source: elBAfme5gQ.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
Source: Binary string: Wfs.pdb source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669ED500 push rax; iretd 18_2_00007FFC669ED501
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6699D500 push rax; iretd 21_2_00007FFC6699D501
Source: elBAfme5gQ.dll Static PE information: section name: .vxl
Source: elBAfme5gQ.dll Static PE information: section name: .qwubgr
Source: elBAfme5gQ.dll Static PE information: section name: .eer
Source: elBAfme5gQ.dll Static PE information: section name: .xwwauf
Source: elBAfme5gQ.dll Static PE information: section name: .pkc
Source: elBAfme5gQ.dll Static PE information: section name: .npkda
Source: elBAfme5gQ.dll Static PE information: section name: .vhs
Source: elBAfme5gQ.dll Static PE information: section name: .iaywj
Source: elBAfme5gQ.dll Static PE information: section name: .nasi
Source: elBAfme5gQ.dll Static PE information: section name: .zhvprh
Source: elBAfme5gQ.dll Static PE information: section name: .yatdsp
Source: elBAfme5gQ.dll Static PE information: section name: .njso
Source: elBAfme5gQ.dll Static PE information: section name: .lgliat
Source: elBAfme5gQ.dll Static PE information: section name: .ntqjh
Source: elBAfme5gQ.dll Static PE information: section name: .sucsek
Source: elBAfme5gQ.dll Static PE information: section name: .qsxjui
Source: elBAfme5gQ.dll Static PE information: section name: .twctcm
Source: elBAfme5gQ.dll Static PE information: section name: .nms
Source: elBAfme5gQ.dll Static PE information: section name: .ogj
Source: elBAfme5gQ.dll Static PE information: section name: .vrkgb
Source: elBAfme5gQ.dll Static PE information: section name: .gikfw
Source: elBAfme5gQ.dll Static PE information: section name: .ktl
Source: elBAfme5gQ.dll Static PE information: section name: .crcn
Source: elBAfme5gQ.dll Static PE information: section name: .wtfr
Source: elBAfme5gQ.dll Static PE information: section name: .hep
Source: elBAfme5gQ.dll Static PE information: section name: .ywg
Source: elBAfme5gQ.dll Static PE information: section name: .sqsp
Source: elBAfme5gQ.dll Static PE information: section name: .gzb
Source: elBAfme5gQ.dll Static PE information: section name: .fatlss
Source: elBAfme5gQ.dll Static PE information: section name: .plqa
Source: elBAfme5gQ.dll Static PE information: section name: .vzt
Source: elBAfme5gQ.dll Static PE information: section name: .dsbyd
Source: elBAfme5gQ.dll Static PE information: section name: .cdelc
Source: elBAfme5gQ.dll Static PE information: section name: .qkhkj
Source: elBAfme5gQ.dll Static PE information: section name: .mnzegr
Source: elBAfme5gQ.dll Static PE information: section name: .krw
Source: elBAfme5gQ.dll Static PE information: section name: .jvsmn
Source: elBAfme5gQ.dll Static PE information: section name: .bygpq
Source: elBAfme5gQ.dll Static PE information: section name: .kzdbu
Source: elBAfme5gQ.dll Static PE information: section name: .mwxorn
Source: elBAfme5gQ.dll Static PE information: section name: .raf
Source: elBAfme5gQ.dll Static PE information: section name: .zcyw
Source: elBAfme5gQ.dll Static PE information: section name: .zeczh
Source: elBAfme5gQ.dll Static PE information: section name: .pvv
Source: elBAfme5gQ.dll Static PE information: section name: .lug
Source: elBAfme5gQ.dll Static PE information: section name: .ski
Source: elBAfme5gQ.dll Static PE information: section name: .japjd
Source: elBAfme5gQ.dll Static PE information: section name: .mwtzml
Source: elBAfme5gQ.dll Static PE information: section name: .vgssf
Source: elBAfme5gQ.dll Static PE information: section name: .gsroye
Source: elBAfme5gQ.dll Static PE information: section name: .vcmr
Source: elBAfme5gQ.dll Static PE information: section name: .kvjqnl
Source: elBAfme5gQ.dll Static PE information: section name: .zlu
Source: elBAfme5gQ.dll Static PE information: section name: .nrcvk
Source: elBAfme5gQ.dll Static PE information: section name: .pfz
Source: elBAfme5gQ.dll Static PE information: section name: .hxz
Source: elBAfme5gQ.dll Static PE information: section name: .snjrs
Source: elBAfme5gQ.dll Static PE information: section name: .bffts
Source: elBAfme5gQ.dll Static PE information: section name: .oqqo
Source: elBAfme5gQ.dll Static PE information: section name: .ancqi
Source: elBAfme5gQ.dll Static PE information: section name: .wnpyu
Source: elBAfme5gQ.dll Static PE information: section name: .eflx
Source: elBAfme5gQ.dll Static PE information: section name: .mjql
Source: elBAfme5gQ.dll Static PE information: section name: .drmed
Source: DmNotificationBroker.exe.4.dr Static PE information: section name: .imrsiv
Source: WFS.exe.4.dr Static PE information: section name: .didat
Source: DmNotificationBroker.exe0.4.dr Static PE information: section name: .imrsiv
Source: WINMM.dll.4.dr Static PE information: section name: .vxl
Source: WINMM.dll.4.dr Static PE information: section name: .qwubgr
Source: WINMM.dll.4.dr Static PE information: section name: .eer
Source: WINMM.dll.4.dr Static PE information: section name: .xwwauf
Source: WINMM.dll.4.dr Static PE information: section name: .pkc
Source: WINMM.dll.4.dr Static PE information: section name: .npkda
Source: WINMM.dll.4.dr Static PE information: section name: .vhs
Source: WINMM.dll.4.dr Static PE information: section name: .iaywj
Source: WINMM.dll.4.dr Static PE information: section name: .nasi
Source: WINMM.dll.4.dr Static PE information: section name: .zhvprh
Source: WINMM.dll.4.dr Static PE information: section name: .yatdsp
Source: WINMM.dll.4.dr Static PE information: section name: .njso
Source: WINMM.dll.4.dr Static PE information: section name: .lgliat
Source: WINMM.dll.4.dr Static PE information: section name: .ntqjh
Source: WINMM.dll.4.dr Static PE information: section name: .sucsek
Source: WINMM.dll.4.dr Static PE information: section name: .qsxjui
Source: WINMM.dll.4.dr Static PE information: section name: .twctcm
Source: WINMM.dll.4.dr Static PE information: section name: .nms
Source: WINMM.dll.4.dr Static PE information: section name: .ogj
Source: WINMM.dll.4.dr Static PE information: section name: .vrkgb
Source: WINMM.dll.4.dr Static PE information: section name: .gikfw
Source: WINMM.dll.4.dr Static PE information: section name: .ktl
Source: WINMM.dll.4.dr Static PE information: section name: .crcn
Source: WINMM.dll.4.dr Static PE information: section name: .wtfr
Source: WINMM.dll.4.dr Static PE information: section name: .hep
Source: WINMM.dll.4.dr Static PE information: section name: .ywg
Source: WINMM.dll.4.dr Static PE information: section name: .sqsp
Source: WINMM.dll.4.dr Static PE information: section name: .gzb
Source: WINMM.dll.4.dr Static PE information: section name: .fatlss
Source: WINMM.dll.4.dr Static PE information: section name: .plqa
Source: WINMM.dll.4.dr Static PE information: section name: .vzt
Source: WINMM.dll.4.dr Static PE information: section name: .dsbyd
Source: WINMM.dll.4.dr Static PE information: section name: .cdelc
Source: WINMM.dll.4.dr Static PE information: section name: .qkhkj
Source: WINMM.dll.4.dr Static PE information: section name: .mnzegr
Source: WINMM.dll.4.dr Static PE information: section name: .krw
Source: WINMM.dll.4.dr Static PE information: section name: .jvsmn
Source: WINMM.dll.4.dr Static PE information: section name: .bygpq
Source: WINMM.dll.4.dr Static PE information: section name: .kzdbu
Source: WINMM.dll.4.dr Static PE information: section name: .mwxorn
Source: WINMM.dll.4.dr Static PE information: section name: .raf
Source: WINMM.dll.4.dr Static PE information: section name: .zcyw
Source: WINMM.dll.4.dr Static PE information: section name: .zeczh
Source: WINMM.dll.4.dr Static PE information: section name: .pvv
Source: WINMM.dll.4.dr Static PE information: section name: .lug
Source: WINMM.dll.4.dr Static PE information: section name: .ski
Source: WINMM.dll.4.dr Static PE information: section name: .japjd
Source: WINMM.dll.4.dr Static PE information: section name: .mwtzml
Source: WINMM.dll.4.dr Static PE information: section name: .vgssf
Source: WINMM.dll.4.dr Static PE information: section name: .gsroye
Source: WINMM.dll.4.dr Static PE information: section name: .vcmr
Source: WINMM.dll.4.dr Static PE information: section name: .kvjqnl
Source: WINMM.dll.4.dr Static PE information: section name: .zlu
Source: WINMM.dll.4.dr Static PE information: section name: .nrcvk
Source: WINMM.dll.4.dr Static PE information: section name: .pfz
Source: WINMM.dll.4.dr Static PE information: section name: .hxz
Source: WINMM.dll.4.dr Static PE information: section name: .snjrs
Source: WINMM.dll.4.dr Static PE information: section name: .bffts
Source: WINMM.dll.4.dr Static PE information: section name: .oqqo
Source: WINMM.dll.4.dr Static PE information: section name: .ancqi
Source: WINMM.dll.4.dr Static PE information: section name: .wnpyu
Source: WINMM.dll.4.dr Static PE information: section name: .eflx
Source: WINMM.dll.4.dr Static PE information: section name: .mjql
Source: WINMM.dll.4.dr Static PE information: section name: .drmed
Source: WINMM.dll.4.dr Static PE information: section name: .soq
Source: DUI70.dll.4.dr Static PE information: section name: .vxl
Source: DUI70.dll.4.dr Static PE information: section name: .qwubgr
Source: DUI70.dll.4.dr Static PE information: section name: .eer
Source: DUI70.dll.4.dr Static PE information: section name: .xwwauf
Source: DUI70.dll.4.dr Static PE information: section name: .pkc
Source: DUI70.dll.4.dr Static PE information: section name: .npkda
Source: DUI70.dll.4.dr Static PE information: section name: .vhs
Source: DUI70.dll.4.dr Static PE information: section name: .iaywj
Source: DUI70.dll.4.dr Static PE information: section name: .nasi
Source: DUI70.dll.4.dr Static PE information: section name: .zhvprh
Source: DUI70.dll.4.dr Static PE information: section name: .yatdsp
Source: DUI70.dll.4.dr Static PE information: section name: .njso
Source: DUI70.dll.4.dr Static PE information: section name: .lgliat
Source: DUI70.dll.4.dr Static PE information: section name: .ntqjh
Source: DUI70.dll.4.dr Static PE information: section name: .sucsek
Source: DUI70.dll.4.dr Static PE information: section name: .qsxjui
Source: DUI70.dll.4.dr Static PE information: section name: .twctcm
Source: DUI70.dll.4.dr Static PE information: section name: .nms
Source: DUI70.dll.4.dr Static PE information: section name: .ogj
Source: DUI70.dll.4.dr Static PE information: section name: .vrkgb
Source: DUI70.dll.4.dr Static PE information: section name: .gikfw
Source: DUI70.dll.4.dr Static PE information: section name: .ktl
Source: DUI70.dll.4.dr Static PE information: section name: .crcn
Source: DUI70.dll.4.dr Static PE information: section name: .wtfr
Source: DUI70.dll.4.dr Static PE information: section name: .hep
Source: DUI70.dll.4.dr Static PE information: section name: .ywg
Source: DUI70.dll.4.dr Static PE information: section name: .sqsp
Source: DUI70.dll.4.dr Static PE information: section name: .gzb
Source: DUI70.dll.4.dr Static PE information: section name: .fatlss
Source: DUI70.dll.4.dr Static PE information: section name: .plqa
Source: DUI70.dll.4.dr Static PE information: section name: .vzt
Source: DUI70.dll.4.dr Static PE information: section name: .dsbyd
Source: DUI70.dll.4.dr Static PE information: section name: .cdelc
Source: DUI70.dll.4.dr Static PE information: section name: .qkhkj
Source: DUI70.dll.4.dr Static PE information: section name: .mnzegr
Source: DUI70.dll.4.dr Static PE information: section name: .krw
Source: DUI70.dll.4.dr Static PE information: section name: .jvsmn
Source: DUI70.dll.4.dr Static PE information: section name: .bygpq
Source: DUI70.dll.4.dr Static PE information: section name: .kzdbu
Source: DUI70.dll.4.dr Static PE information: section name: .mwxorn
Source: DUI70.dll.4.dr Static PE information: section name: .raf
Source: DUI70.dll.4.dr Static PE information: section name: .zcyw
Source: DUI70.dll.4.dr Static PE information: section name: .zeczh
Source: DUI70.dll.4.dr Static PE information: section name: .pvv
Source: DUI70.dll.4.dr Static PE information: section name: .lug
Source: DUI70.dll.4.dr Static PE information: section name: .ski
Source: DUI70.dll.4.dr Static PE information: section name: .japjd
Source: DUI70.dll.4.dr Static PE information: section name: .mwtzml
Source: DUI70.dll.4.dr Static PE information: section name: .vgssf
Source: DUI70.dll.4.dr Static PE information: section name: .gsroye
Source: DUI70.dll.4.dr Static PE information: section name: .vcmr
Source: DUI70.dll.4.dr Static PE information: section name: .kvjqnl
Source: DUI70.dll.4.dr Static PE information: section name: .zlu
Source: DUI70.dll.4.dr Static PE information: section name: .nrcvk
Source: DUI70.dll.4.dr Static PE information: section name: .pfz
Source: DUI70.dll.4.dr Static PE information: section name: .hxz
Source: DUI70.dll.4.dr Static PE information: section name: .snjrs
Source: DUI70.dll.4.dr Static PE information: section name: .bffts
Source: DUI70.dll.4.dr Static PE information: section name: .oqqo
Source: DUI70.dll.4.dr Static PE information: section name: .ancqi
Source: DUI70.dll.4.dr Static PE information: section name: .wnpyu
Source: DUI70.dll.4.dr Static PE information: section name: .eflx
Source: DUI70.dll.4.dr Static PE information: section name: .mjql
Source: DUI70.dll.4.dr Static PE information: section name: .drmed
Source: DUI70.dll.4.dr Static PE information: section name: .ilct
Source: credui.dll.4.dr Static PE information: section name: .vxl
Source: credui.dll.4.dr Static PE information: section name: .qwubgr
Source: credui.dll.4.dr Static PE information: section name: .eer
Source: credui.dll.4.dr Static PE information: section name: .xwwauf
Source: credui.dll.4.dr Static PE information: section name: .pkc
Source: credui.dll.4.dr Static PE information: section name: .npkda
Source: credui.dll.4.dr Static PE information: section name: .vhs
Source: credui.dll.4.dr Static PE information: section name: .iaywj
Source: credui.dll.4.dr Static PE information: section name: .nasi
Source: credui.dll.4.dr Static PE information: section name: .zhvprh
Source: credui.dll.4.dr Static PE information: section name: .yatdsp
Source: credui.dll.4.dr Static PE information: section name: .njso
Source: credui.dll.4.dr Static PE information: section name: .lgliat
Source: credui.dll.4.dr Static PE information: section name: .ntqjh
Source: credui.dll.4.dr Static PE information: section name: .sucsek
Source: credui.dll.4.dr Static PE information: section name: .qsxjui
Source: credui.dll.4.dr Static PE information: section name: .twctcm
Source: credui.dll.4.dr Static PE information: section name: .nms
Source: credui.dll.4.dr Static PE information: section name: .ogj
Source: credui.dll.4.dr Static PE information: section name: .vrkgb
Source: credui.dll.4.dr Static PE information: section name: .gikfw
Source: credui.dll.4.dr Static PE information: section name: .ktl
Source: credui.dll.4.dr Static PE information: section name: .crcn
Source: credui.dll.4.dr Static PE information: section name: .wtfr
Source: credui.dll.4.dr Static PE information: section name: .hep
Source: credui.dll.4.dr Static PE information: section name: .ywg
Source: credui.dll.4.dr Static PE information: section name: .sqsp
Source: credui.dll.4.dr Static PE information: section name: .gzb
Source: credui.dll.4.dr Static PE information: section name: .fatlss
Source: credui.dll.4.dr Static PE information: section name: .plqa
Source: credui.dll.4.dr Static PE information: section name: .vzt
Source: credui.dll.4.dr Static PE information: section name: .dsbyd
Source: credui.dll.4.dr Static PE information: section name: .cdelc
Source: credui.dll.4.dr Static PE information: section name: .qkhkj
Source: credui.dll.4.dr Static PE information: section name: .mnzegr
Source: credui.dll.4.dr Static PE information: section name: .krw
Source: credui.dll.4.dr Static PE information: section name: .jvsmn
Source: credui.dll.4.dr Static PE information: section name: .bygpq
Source: credui.dll.4.dr Static PE information: section name: .kzdbu
Source: credui.dll.4.dr Static PE information: section name: .mwxorn
Source: credui.dll.4.dr Static PE information: section name: .raf
Source: credui.dll.4.dr Static PE information: section name: .zcyw
Source: credui.dll.4.dr Static PE information: section name: .zeczh
Source: credui.dll.4.dr Static PE information: section name: .pvv
Source: credui.dll.4.dr Static PE information: section name: .lug
Source: credui.dll.4.dr Static PE information: section name: .ski
Source: credui.dll.4.dr Static PE information: section name: .japjd
Source: credui.dll.4.dr Static PE information: section name: .mwtzml
Source: credui.dll.4.dr Static PE information: section name: .vgssf
Source: credui.dll.4.dr Static PE information: section name: .gsroye
Source: credui.dll.4.dr Static PE information: section name: .vcmr
Source: credui.dll.4.dr Static PE information: section name: .kvjqnl
Source: credui.dll.4.dr Static PE information: section name: .zlu
Source: credui.dll.4.dr Static PE information: section name: .nrcvk
Source: credui.dll.4.dr Static PE information: section name: .pfz
Source: credui.dll.4.dr Static PE information: section name: .hxz
Source: credui.dll.4.dr Static PE information: section name: .snjrs
Source: credui.dll.4.dr Static PE information: section name: .bffts
Source: credui.dll.4.dr Static PE information: section name: .oqqo
Source: credui.dll.4.dr Static PE information: section name: .ancqi
Source: credui.dll.4.dr Static PE information: section name: .wnpyu
Source: credui.dll.4.dr Static PE information: section name: .eflx
Source: credui.dll.4.dr Static PE information: section name: .mjql
Source: credui.dll.4.dr Static PE information: section name: .drmed
Source: credui.dll.4.dr Static PE information: section name: .hhviua
Source: DUI70.dll0.4.dr Static PE information: section name: .vxl
Source: DUI70.dll0.4.dr Static PE information: section name: .qwubgr
Source: DUI70.dll0.4.dr Static PE information: section name: .eer
Source: DUI70.dll0.4.dr Static PE information: section name: .xwwauf
Source: DUI70.dll0.4.dr Static PE information: section name: .pkc
Source: DUI70.dll0.4.dr Static PE information: section name: .npkda
Source: DUI70.dll0.4.dr Static PE information: section name: .vhs
Source: DUI70.dll0.4.dr Static PE information: section name: .iaywj
Source: DUI70.dll0.4.dr Static PE information: section name: .nasi
Source: DUI70.dll0.4.dr Static PE information: section name: .zhvprh
Source: DUI70.dll0.4.dr Static PE information: section name: .yatdsp
Source: DUI70.dll0.4.dr Static PE information: section name: .njso
Source: DUI70.dll0.4.dr Static PE information: section name: .lgliat
Source: DUI70.dll0.4.dr Static PE information: section name: .ntqjh
Source: DUI70.dll0.4.dr Static PE information: section name: .sucsek
Source: DUI70.dll0.4.dr Static PE information: section name: .qsxjui
Source: DUI70.dll0.4.dr Static PE information: section name: .twctcm
Source: DUI70.dll0.4.dr Static PE information: section name: .nms
Source: DUI70.dll0.4.dr Static PE information: section name: .ogj
Source: DUI70.dll0.4.dr Static PE information: section name: .vrkgb
Source: DUI70.dll0.4.dr Static PE information: section name: .gikfw
Source: DUI70.dll0.4.dr Static PE information: section name: .ktl
Source: DUI70.dll0.4.dr Static PE information: section name: .crcn
Source: DUI70.dll0.4.dr Static PE information: section name: .wtfr
Source: DUI70.dll0.4.dr Static PE information: section name: .hep
Source: DUI70.dll0.4.dr Static PE information: section name: .ywg
Source: DUI70.dll0.4.dr Static PE information: section name: .sqsp
Source: DUI70.dll0.4.dr Static PE information: section name: .gzb
Source: DUI70.dll0.4.dr Static PE information: section name: .fatlss
Source: DUI70.dll0.4.dr Static PE information: section name: .plqa
Source: DUI70.dll0.4.dr Static PE information: section name: .vzt
Source: DUI70.dll0.4.dr Static PE information: section name: .dsbyd
Source: DUI70.dll0.4.dr Static PE information: section name: .cdelc
Source: DUI70.dll0.4.dr Static PE information: section name: .qkhkj
Source: DUI70.dll0.4.dr Static PE information: section name: .mnzegr
Source: DUI70.dll0.4.dr Static PE information: section name: .krw
Source: DUI70.dll0.4.dr Static PE information: section name: .jvsmn
Source: DUI70.dll0.4.dr Static PE information: section name: .bygpq
Source: DUI70.dll0.4.dr Static PE information: section name: .kzdbu
Source: DUI70.dll0.4.dr Static PE information: section name: .mwxorn
Source: DUI70.dll0.4.dr Static PE information: section name: .raf
Source: DUI70.dll0.4.dr Static PE information: section name: .zcyw
Source: DUI70.dll0.4.dr Static PE information: section name: .zeczh
Source: DUI70.dll0.4.dr Static PE information: section name: .pvv
Source: DUI70.dll0.4.dr Static PE information: section name: .lug
Source: DUI70.dll0.4.dr Static PE information: section name: .ski
Source: DUI70.dll0.4.dr Static PE information: section name: .japjd
Source: DUI70.dll0.4.dr Static PE information: section name: .mwtzml
Source: DUI70.dll0.4.dr Static PE information: section name: .vgssf
Source: DUI70.dll0.4.dr Static PE information: section name: .gsroye
Source: DUI70.dll0.4.dr Static PE information: section name: .vcmr
Source: DUI70.dll0.4.dr Static PE information: section name: .kvjqnl
Source: DUI70.dll0.4.dr Static PE information: section name: .zlu
Source: DUI70.dll0.4.dr Static PE information: section name: .nrcvk
Source: DUI70.dll0.4.dr Static PE information: section name: .pfz
Source: DUI70.dll0.4.dr Static PE information: section name: .hxz
Source: DUI70.dll0.4.dr Static PE information: section name: .snjrs
Source: DUI70.dll0.4.dr Static PE information: section name: .bffts
Source: DUI70.dll0.4.dr Static PE information: section name: .oqqo
Source: DUI70.dll0.4.dr Static PE information: section name: .ancqi
Source: DUI70.dll0.4.dr Static PE information: section name: .wnpyu
Source: DUI70.dll0.4.dr Static PE information: section name: .eflx
Source: DUI70.dll0.4.dr Static PE information: section name: .mjql
Source: DUI70.dll0.4.dr Static PE information: section name: .drmed
Source: DUI70.dll0.4.dr Static PE information: section name: .wfyzc
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0704858 LoadLibraryW,GetProcAddress,FreeLibrary, 25_2_00007FF7E0704858
Source: DmNotificationBroker.exe.4.dr Static PE information: 0xF8A808F8 [Tue Mar 14 06:45:12 2102 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\WRsLe\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\daH0n9\credui.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\daH0n9\WFS.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pEcAZnNU3\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06F4CD4 FindWindowW,#2906,SetForegroundWindow,SendMessageW,GetCommandLineW,memset,IsWindowVisible,#4124,GetLastError,SetForegroundWindow,SendMessageW,#6610,GetLastError,#6632,IsWindowVisible,PostMessageW,GetLastActivePopup,#2906,IsIconic,#6632,SetForegroundWindow,PostMessageW,PostMessageW,PostMessageW, 25_2_00007FF7E06F4CD4
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe TID: 5632 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B445649C rdtsc 18_2_00007FF7B445649C
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe API coverage: 6.4 %
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe API coverage: 0.1 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6471DDC0 GetSystemInfo, 0_2_00007FFC6471DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6471ED10 FindFirstFileExW, 0_2_00007FFC6471ED10
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4464518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError, 18_2_00007FF7B4464518
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FFC669CED10 FindFirstFileExW, 18_2_00007FFC669CED10
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FFC6697ED10 FindFirstFileExW, 21_2_00007FFC6697ED10
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07071B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW, 25_2_00007FF7E07071B0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07389BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose, 25_2_00007FF7E07389BC
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0705B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW, 25_2_00007FF7E0705B40
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07230D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395, 25_2_00007FF7E07230D8
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E06FF0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose, 25_2_00007FF7E06FF0AC
Source: explorer.exe, 00000004.00000000.276254319.0000000008153000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.335839372.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000004.00000000.343329822.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.343361279.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.331399328.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.269868988.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000004.00000000.276452579.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.276254319.0000000008153000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4451AC8 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 18_2_00007FF7B4451AC8
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0704858 LoadLibraryW,GetProcAddress,FreeLibrary, 25_2_00007FF7E0704858
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4453468 WaitForSingleObjectEx,GetLastError,CloseHandle,SetLastError,GetLastError,CloseHandle,SetLastError,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex, 18_2_00007FF7B4453468
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B445649C rdtsc 18_2_00007FF7B445649C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC647097D0 LdrLoadDll,FindClose, 0_2_00007FFC647097D0
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B4465460 SetUnhandledExceptionFilter, 18_2_00007FF7B4465460
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B44651B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF7B44651B0
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FF793F62780 SetUnhandledExceptionFilter, 21_2_00007FF793F62780
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FF793F62AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00007FF793F62AB4
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07548F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF7E07548F4
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E0754CF0 SetUnhandledExceptionFilter, 25_2_00007FF7E0754CF0

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: WINMM.dll.4.dr Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E073D58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle, 25_2_00007FF7E073D58C
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1 Jump to behavior
Source: explorer.exe, 00000004.00000000.298751933.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.321239545.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.343343863.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.335577831.0000000008153000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.306264375.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.299603676.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.267032730.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.321326360.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: GetLocaleInfoEx, 25_2_00007FF7E06FE120
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846, 25_2_00007FF7E0725814
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846, 25_2_00007FF7E0704934
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free, 25_2_00007FF7E06FDA70
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe Code function: 18_2_00007FF7B44655F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 18_2_00007FF7B44655F0
Source: C:\Users\user\AppData\Local\daH0n9\WFS.exe Code function: 25_2_00007FF7E07243D0 memset,memset,memset,memset,#626,#626,GetVersion,GetOpenFileNameW,#624,#624,#1040,#1040,#1040,#1040, 25_2_00007FF7E07243D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC64709400 GetUserNameW, 0_2_00007FFC64709400
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FF793F621B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree, 21_2_00007FF793F621B8
Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe Code function: 21_2_00007FF793F622F0 RpcBindingFree, 21_2_00007FF793F622F0
No contacted IP infos