Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
elBAfme5gQ

Overview

General Information

Sample Name:elBAfme5gQ (renamed file extension from none to dll)
Analysis ID:595323
MD5:ca7c6f265e4bc09e6d9d0b2b6234e8b3
SHA1:1720aadb4965df64ee40d32957ee6080500639b2
SHA256:a8f566b8d2d9f9a418211039cb76552d460f83195d519a89313a880ead9bd4a4
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6828 cmdline: loaddll64.exe "C:\Users\user\Desktop\elBAfme5gQ.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6836 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6856 cmdline: rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6844 cmdline: rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • PresentationSettings.exe (PID: 7040 cmdline: C:\Windows\system32\PresentationSettings.exe MD5: 76086DD04B6760277A2B897345A0B457)
        • PresentationSettings.exe (PID: 5432 cmdline: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe MD5: 76086DD04B6760277A2B897345A0B457)
        • DmNotificationBroker.exe (PID: 5352 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • DmNotificationBroker.exe (PID: 5876 cmdline: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • WFS.exe (PID: 4504 cmdline: C:\Windows\system32\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • WFS.exe (PID: 6212 cmdline: C:\Users\user\AppData\Local\daH0n9\WFS.exe MD5: CD6ACF3B997099B6CFB2417D3942F755)
        • DmNotificationBroker.exe (PID: 6008 cmdline: C:\Windows\system32\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • DmNotificationBroker.exe (PID: 1804 cmdline: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe MD5: 1643D5735213BC89C0012F0E48253765)
        • wusa.exe (PID: 6376 cmdline: C:\Windows\system32\wusa.exe MD5: 04CE745559916B99248F266BBF5F9ED9)
    • rundll32.exe (PID: 6896 cmdline: rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6928 cmdline: rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000015.00000002.455715001.00007FFC66921000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000002.00000002.382683427.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      0000001F.00000002.529541082.00007FFC67881000.00000020.00000001.01000000.00000010.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000006.00000002.279312817.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000003.00000002.265252224.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            18.2.PresentationSettings.exe.7ffc66970000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              25.2.WFS.exe.7ffc66970000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                2.2.rundll32.exe.7ffc646c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  31.2.DmNotificationBroker.exe.7ffc67880000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    5.2.rundll32.exe.7ffc646c0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 4 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6836, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1, ProcessId: 6856
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: elBAfme5gQ.dllVirustotal: Detection: 62%Perma Link
                      Source: elBAfme5gQ.dllMetadefender: Detection: 65%Perma Link
                      Source: elBAfme5gQ.dllReversingLabs: Detection: 88%
                      Source: elBAfme5gQ.dllAvira: detected
                      Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\daH0n9\credui.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen4
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: elBAfme5gQ.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\daH0n9\credui.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\WRsLe\DUI70.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073F500 CryptProtectData,GetLastError,RegSetValueExW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073F5C8 RegQueryValueExW,RegQueryValueExW,CryptUnprotectData,GetLastError,LocalFree,
                      Source: elBAfme5gQ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
                      Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
                      Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
                      Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
                      Source: Binary string: Wfs.pdb source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
                      Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6471ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4464518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669CED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6697ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07071B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07389BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0705B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07230D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06FF0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 18.2.PresentationSettings.exe.7ffc66970000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.WFS.exe.7ffc66970000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.DmNotificationBroker.exe.7ffc67880000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll64.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.7ffc646c0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.DmNotificationBroker.exe.7ffc66920000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000015.00000002.455715001.00007FFC66921000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.382683427.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.529541082.00007FFC67881000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.279312817.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.265252224.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.285761236.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.489503728.00007FFC66971000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.417833376.00007FFC66971000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.271180425.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64727650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6471DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC647097D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F5020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64713150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F59F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6470CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646FAA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6470A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F3CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F5CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64722CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646ED550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F1D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F0D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F25C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64710650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646CC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646CDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E3610
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F2E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64720F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F06A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64725760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6473BF6F
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64720770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646DE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64727EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646DA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64715840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6470F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6473EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646FF870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6473B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F0020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64734FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64726950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646DD890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F6130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646DE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646CB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F91F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F89F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F21D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646DE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F9990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646FB250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646FBAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64725B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F4360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC647282A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646E3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6471F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F1B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646CBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64722AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646EA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64727AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646F0300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64729410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64724390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64714BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646C5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC646D7410
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4464374
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4452D90
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4453278
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4463034
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B445441C
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B446354C
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4463CDC
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B44536DC
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B445649C
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B44556A4
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B44639C8
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A5020
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669B97D0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DD520
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A5CD0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D7650
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669CDDC0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669ABAE0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669BA2C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C3150
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66997880
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669AAA70
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669BCA50
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A59F0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699872B
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D0F30
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D5760
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D0770
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6698E770
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EBF6F
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66992F50
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A06A0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DA6B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699F6B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66977E80
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66976E90
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D7EC0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669F0820
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A0020
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699C030
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66994800
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66971010
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669AF870
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669BF870
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C5840
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66995050
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EB7A0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699E7B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DC780
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EEF80
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66976790
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66996FE0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669E4FF0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66988FC0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6698A7D0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C8D20
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A1D30
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A0D10
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66989D70
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66993D50
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699D550
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE4A6
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D2CA0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE49D
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE4B6
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE4AD
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE48B
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699AC80
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE494
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DA490
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A3CF0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66983CD0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66971620
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6697DE20
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66993610
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A2E10
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66988670
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C0650
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6697C5A0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EC590
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669865E0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669895C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A25C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6697BB20
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A1B30
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A0300
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699A310
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A4360
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66993340
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66988340
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66975350
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D5B50
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D82A0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DAAA0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699DAA0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D2AE0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669982E0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D7AF0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669CF2C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669992C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C22C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66975C20
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66985420
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DE400
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EFC00
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66987410
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D9410
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D4390
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669823F0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669C4BC0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A6130
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6697B100
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6698E110
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66993910
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DB960
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66994140
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669D6950
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669808B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EC8B1
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6698D890
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669EC0EB
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669718D0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DB260
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66977A40
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669AB250
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699E9A0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6698E9B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669911B0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66972980
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A9990
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC6699F1F0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A91F0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A89F0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669969C0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A21D0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66955020
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669697D0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698D520
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66955CD0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66987650
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6697DDC0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695BAE0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6696A2C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66973150
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66947880
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695AA70
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6696CA50
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669559F0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694872B
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66980F30
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66985760
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66980770
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6693E770
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699BF6F
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66942F50
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669506A0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694F6B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698A6B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66927E80
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66926E90
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66987EC0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66950020
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669A0820
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694C030
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66944800
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66921010
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695F870
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6696F870
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66975840
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66945050
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699B7A0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694E7B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698C780
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699EF80
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66926790
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66946FE0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66994FF0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66938FC0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6693A7D0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66978D20
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66951D30
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66950D10
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66939D70
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694D550
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66943D50
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E4A6
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66982CA0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E49D
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E4B6
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E4AD
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694AC80
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E48B
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E494
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698A490
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66953CF0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66933CD0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66921620
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6692DE20
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66952E10
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66943610
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66938670
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66970650
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6692C5A0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699C590
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669365E0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669525C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669395C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6692BB20
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66951B30
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66950300
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694A310
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66954360
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66943340
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66938340
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66985B50
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66925350
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694DAA0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669882A0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698AAA0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669482E0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66982AE0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66987AF0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669492C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669722C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6697F2C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66925C20
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66935420
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698E400
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699FC00
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66937410
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66989410
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66984390
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669323F0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66974BC0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66956130
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6692B100
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6693E110
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66943910
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698B960
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66944140
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66986950
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669308B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699C8B1
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6693D890
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699C0EB
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669218D0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698B260
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66927A40
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695B250
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694E9A0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6693E9B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669411B0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66922980
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66959990
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6694F1F0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669591F0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669589F0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669469C0
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC669521D0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073A1B0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0736180
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F3258
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F9250
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E071B3A8
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073B410
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072D320
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072A380
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072E4C0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07354E0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E071541C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06FC4F8
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0752440
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07415BC
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072F5D0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F85B0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0730630
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06FB6C4
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F5738
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E071F71C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07318CC
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073B904
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E071E840
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06FC974
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073A9E0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0713940
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07019D0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0738AB0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F3A30
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0707AF0
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0736C00
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073FC0C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0735C10
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072AB1C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072FB30
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0752B6C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0710B80
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F4CD4
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F3A30
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0733E1C
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0736E50
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0751F60
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073B0DC
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E072C060
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: String function: 00007FF7E06F38C8 appears 261 times
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6472D520 NtQuerySystemInformation,RtlAllocateHeap,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64707770 NtClose,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669B7770 NtClose,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC66995F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A8060 NtReadVirtualMemory,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669DD520 NtQuerySystemInformation,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669A5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669AC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669ACE20 NtDuplicateObject,NtClose,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669ABAE0 NtReadVirtualMemory,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669BF150 NtDelayExecution,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669AAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66967770 NtClose,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66945F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6698D520 NtQuerySystemInformation,RtlAllocateHeap,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC66955CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695BAE0 NtReadVirtualMemory,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6695AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,
                      Source: DmNotificationBroker.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: DmNotificationBroker.exe0.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: elBAfme5gQ.dllBinary or memory string: OriginalFilenamedpnhupnp.dJ vs elBAfme5gQ.dll
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: PresentationSettings.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: WFS.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dll
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exeSection loaded: kernel34.dll
                      Source: elBAfme5gQ.dllStatic PE information: Number of sections : 70 > 10
                      Source: DUI70.dll0.4.drStatic PE information: Number of sections : 71 > 10
                      Source: DUI70.dll.4.drStatic PE information: Number of sections : 71 > 10
                      Source: WINMM.dll.4.drStatic PE information: Number of sections : 71 > 10
                      Source: credui.dll.4.drStatic PE information: Number of sections : 71 > 10
                      Source: elBAfme5gQ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WINMM.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: credui.dll.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DUI70.dll0.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: elBAfme5gQ.dllVirustotal: Detection: 62%
                      Source: elBAfme5gQ.dllMetadefender: Detection: 65%
                      Source: elBAfme5gQ.dllReversingLabs: Detection: 88%
                      Source: elBAfme5gQ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\elBAfme5gQ.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\daH0n9\WFS.exe C:\Users\user\AppData\Local\daH0n9\WFS.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\PresentationSettings.exe C:\Windows\system32\PresentationSettings.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WFS.exe C:\Windows\system32\WFS.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\daH0n9\WFS.exe C:\Users\user\AppData\Local\daH0n9\WFS.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\DmNotificationBroker.exe C:\Windows\system32\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wusa.exe C:\Windows\system32\wusa.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemSettingsRemoveDevice.exe C:\Windows\system32\SystemSettingsRemoveDevice.exe
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@31/9@0/0
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4461D34 CoCreateInstance,SysAllocString,SysFreeString,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E071541C SendDlgItemMessageW,memset,memset,LoadStringW,FormatMessageW,SetDlgItemTextW,GetLastError,GetLastError,PeekMessageW,TranslateMessage,DispatchMessageW,#5065,#5065,PeekMessageW,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669ACB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
                      Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exeMutant created: \Sessions\1\BaseNamedObjects\{e424c4a6-fba6-038b-8c68-1fb473e55e3e}
                      Source: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exeMutant created: \Sessions\1\BaseNamedObjects\{63e47e3b-1857-05fa-2873-230b4c914f4e}
                      Source: PresentationSettings.exeString found in binary or memory: /stop
                      Source: PresentationSettings.exeString found in binary or memory: /stop
                      Source: elBAfme5gQ.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: elBAfme5gQ.dllStatic file information: File size 1421312 > 1048576
                      Source: elBAfme5gQ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: DmNotificationBroker.pdb source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
                      Source: Binary string: PresentationSettings.pdb source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
                      Source: Binary string: DmNotificationBroker.pdbGCTL source: DmNotificationBroker.exe, 00000015.00000000.431514520.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 00000015.00000002.455649631.00007FF793F65000.00000002.00000001.01000000.0000000B.sdmp, DmNotificationBroker.exe, 0000001F.00000000.502738188.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe, 0000001F.00000002.529497507.00007FF6DC635000.00000002.00000001.01000000.0000000F.sdmp, DmNotificationBroker.exe0.4.dr, DmNotificationBroker.exe.4.dr
                      Source: Binary string: Wfs.pdbGCTL source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
                      Source: Binary string: Wfs.pdb source: WFS.exe, 00000019.00000002.489112517.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe, 00000019.00000000.461037552.00007FF7E075C000.00000002.00000001.01000000.0000000D.sdmp, WFS.exe.4.dr
                      Source: Binary string: PresentationSettings.pdbGCTL source: PresentationSettings.exe, 00000012.00000002.417779681.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe, 00000012.00000000.394587436.00007FF7B4466000.00000002.00000001.01000000.00000009.sdmp, PresentationSettings.exe.4.dr
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669ED500 push rax; iretd
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6699D500 push rax; iretd
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vxl
                      Source: elBAfme5gQ.dllStatic PE information: section name: .qwubgr
                      Source: elBAfme5gQ.dllStatic PE information: section name: .eer
                      Source: elBAfme5gQ.dllStatic PE information: section name: .xwwauf
                      Source: elBAfme5gQ.dllStatic PE information: section name: .pkc
                      Source: elBAfme5gQ.dllStatic PE information: section name: .npkda
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vhs
                      Source: elBAfme5gQ.dllStatic PE information: section name: .iaywj
                      Source: elBAfme5gQ.dllStatic PE information: section name: .nasi
                      Source: elBAfme5gQ.dllStatic PE information: section name: .zhvprh
                      Source: elBAfme5gQ.dllStatic PE information: section name: .yatdsp
                      Source: elBAfme5gQ.dllStatic PE information: section name: .njso
                      Source: elBAfme5gQ.dllStatic PE information: section name: .lgliat
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ntqjh
                      Source: elBAfme5gQ.dllStatic PE information: section name: .sucsek
                      Source: elBAfme5gQ.dllStatic PE information: section name: .qsxjui
                      Source: elBAfme5gQ.dllStatic PE information: section name: .twctcm
                      Source: elBAfme5gQ.dllStatic PE information: section name: .nms
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ogj
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vrkgb
                      Source: elBAfme5gQ.dllStatic PE information: section name: .gikfw
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ktl
                      Source: elBAfme5gQ.dllStatic PE information: section name: .crcn
                      Source: elBAfme5gQ.dllStatic PE information: section name: .wtfr
                      Source: elBAfme5gQ.dllStatic PE information: section name: .hep
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ywg
                      Source: elBAfme5gQ.dllStatic PE information: section name: .sqsp
                      Source: elBAfme5gQ.dllStatic PE information: section name: .gzb
                      Source: elBAfme5gQ.dllStatic PE information: section name: .fatlss
                      Source: elBAfme5gQ.dllStatic PE information: section name: .plqa
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vzt
                      Source: elBAfme5gQ.dllStatic PE information: section name: .dsbyd
                      Source: elBAfme5gQ.dllStatic PE information: section name: .cdelc
                      Source: elBAfme5gQ.dllStatic PE information: section name: .qkhkj
                      Source: elBAfme5gQ.dllStatic PE information: section name: .mnzegr
                      Source: elBAfme5gQ.dllStatic PE information: section name: .krw
                      Source: elBAfme5gQ.dllStatic PE information: section name: .jvsmn
                      Source: elBAfme5gQ.dllStatic PE information: section name: .bygpq
                      Source: elBAfme5gQ.dllStatic PE information: section name: .kzdbu
                      Source: elBAfme5gQ.dllStatic PE information: section name: .mwxorn
                      Source: elBAfme5gQ.dllStatic PE information: section name: .raf
                      Source: elBAfme5gQ.dllStatic PE information: section name: .zcyw
                      Source: elBAfme5gQ.dllStatic PE information: section name: .zeczh
                      Source: elBAfme5gQ.dllStatic PE information: section name: .pvv
                      Source: elBAfme5gQ.dllStatic PE information: section name: .lug
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ski
                      Source: elBAfme5gQ.dllStatic PE information: section name: .japjd
                      Source: elBAfme5gQ.dllStatic PE information: section name: .mwtzml
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vgssf
                      Source: elBAfme5gQ.dllStatic PE information: section name: .gsroye
                      Source: elBAfme5gQ.dllStatic PE information: section name: .vcmr
                      Source: elBAfme5gQ.dllStatic PE information: section name: .kvjqnl
                      Source: elBAfme5gQ.dllStatic PE information: section name: .zlu
                      Source: elBAfme5gQ.dllStatic PE information: section name: .nrcvk
                      Source: elBAfme5gQ.dllStatic PE information: section name: .pfz
                      Source: elBAfme5gQ.dllStatic PE information: section name: .hxz
                      Source: elBAfme5gQ.dllStatic PE information: section name: .snjrs
                      Source: elBAfme5gQ.dllStatic PE information: section name: .bffts
                      Source: elBAfme5gQ.dllStatic PE information: section name: .oqqo
                      Source: elBAfme5gQ.dllStatic PE information: section name: .ancqi
                      Source: elBAfme5gQ.dllStatic PE information: section name: .wnpyu
                      Source: elBAfme5gQ.dllStatic PE information: section name: .eflx
                      Source: elBAfme5gQ.dllStatic PE information: section name: .mjql
                      Source: elBAfme5gQ.dllStatic PE information: section name: .drmed
                      Source: DmNotificationBroker.exe.4.drStatic PE information: section name: .imrsiv
                      Source: WFS.exe.4.drStatic PE information: section name: .didat
                      Source: DmNotificationBroker.exe0.4.drStatic PE information: section name: .imrsiv
                      Source: WINMM.dll.4.drStatic PE information: section name: .vxl
                      Source: WINMM.dll.4.drStatic PE information: section name: .qwubgr
                      Source: WINMM.dll.4.drStatic PE information: section name: .eer
                      Source: WINMM.dll.4.drStatic PE information: section name: .xwwauf
                      Source: WINMM.dll.4.drStatic PE information: section name: .pkc
                      Source: WINMM.dll.4.drStatic PE information: section name: .npkda
                      Source: WINMM.dll.4.drStatic PE information: section name: .vhs
                      Source: WINMM.dll.4.drStatic PE information: section name: .iaywj
                      Source: WINMM.dll.4.drStatic PE information: section name: .nasi
                      Source: WINMM.dll.4.drStatic PE information: section name: .zhvprh
                      Source: WINMM.dll.4.drStatic PE information: section name: .yatdsp
                      Source: WINMM.dll.4.drStatic PE information: section name: .njso
                      Source: WINMM.dll.4.drStatic PE information: section name: .lgliat
                      Source: WINMM.dll.4.drStatic PE information: section name: .ntqjh
                      Source: WINMM.dll.4.drStatic PE information: section name: .sucsek
                      Source: WINMM.dll.4.drStatic PE information: section name: .qsxjui
                      Source: WINMM.dll.4.drStatic PE information: section name: .twctcm
                      Source: WINMM.dll.4.drStatic PE information: section name: .nms
                      Source: WINMM.dll.4.drStatic PE information: section name: .ogj
                      Source: WINMM.dll.4.drStatic PE information: section name: .vrkgb
                      Source: WINMM.dll.4.drStatic PE information: section name: .gikfw
                      Source: WINMM.dll.4.drStatic PE information: section name: .ktl
                      Source: WINMM.dll.4.drStatic PE information: section name: .crcn
                      Source: WINMM.dll.4.drStatic PE information: section name: .wtfr
                      Source: WINMM.dll.4.drStatic PE information: section name: .hep
                      Source: WINMM.dll.4.drStatic PE information: section name: .ywg
                      Source: WINMM.dll.4.drStatic PE information: section name: .sqsp
                      Source: WINMM.dll.4.drStatic PE information: section name: .gzb
                      Source: WINMM.dll.4.drStatic PE information: section name: .fatlss
                      Source: WINMM.dll.4.drStatic PE information: section name: .plqa
                      Source: WINMM.dll.4.drStatic PE information: section name: .vzt
                      Source: WINMM.dll.4.drStatic PE information: section name: .dsbyd
                      Source: WINMM.dll.4.drStatic PE information: section name: .cdelc
                      Source: WINMM.dll.4.drStatic PE information: section name: .qkhkj
                      Source: WINMM.dll.4.drStatic PE information: section name: .mnzegr
                      Source: WINMM.dll.4.drStatic PE information: section name: .krw
                      Source: WINMM.dll.4.drStatic PE information: section name: .jvsmn
                      Source: WINMM.dll.4.drStatic PE information: section name: .bygpq
                      Source: WINMM.dll.4.drStatic PE information: section name: .kzdbu
                      Source: WINMM.dll.4.drStatic PE information: section name: .mwxorn
                      Source: WINMM.dll.4.drStatic PE information: section name: .raf
                      Source: WINMM.dll.4.drStatic PE information: section name: .zcyw
                      Source: WINMM.dll.4.drStatic PE information: section name: .zeczh
                      Source: WINMM.dll.4.drStatic PE information: section name: .pvv
                      Source: WINMM.dll.4.drStatic PE information: section name: .lug
                      Source: WINMM.dll.4.drStatic PE information: section name: .ski
                      Source: WINMM.dll.4.drStatic PE information: section name: .japjd
                      Source: WINMM.dll.4.drStatic PE information: section name: .mwtzml
                      Source: WINMM.dll.4.drStatic PE information: section name: .vgssf
                      Source: WINMM.dll.4.drStatic PE information: section name: .gsroye
                      Source: WINMM.dll.4.drStatic PE information: section name: .vcmr
                      Source: WINMM.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: WINMM.dll.4.drStatic PE information: section name: .zlu
                      Source: WINMM.dll.4.drStatic PE information: section name: .nrcvk
                      Source: WINMM.dll.4.drStatic PE information: section name: .pfz
                      Source: WINMM.dll.4.drStatic PE information: section name: .hxz
                      Source: WINMM.dll.4.drStatic PE information: section name: .snjrs
                      Source: WINMM.dll.4.drStatic PE information: section name: .bffts
                      Source: WINMM.dll.4.drStatic PE information: section name: .oqqo
                      Source: WINMM.dll.4.drStatic PE information: section name: .ancqi
                      Source: WINMM.dll.4.drStatic PE information: section name: .wnpyu
                      Source: WINMM.dll.4.drStatic PE information: section name: .eflx
                      Source: WINMM.dll.4.drStatic PE information: section name: .mjql
                      Source: WINMM.dll.4.drStatic PE information: section name: .drmed
                      Source: WINMM.dll.4.drStatic PE information: section name: .soq
                      Source: DUI70.dll.4.drStatic PE information: section name: .vxl
                      Source: DUI70.dll.4.drStatic PE information: section name: .qwubgr
                      Source: DUI70.dll.4.drStatic PE information: section name: .eer
                      Source: DUI70.dll.4.drStatic PE information: section name: .xwwauf
                      Source: DUI70.dll.4.drStatic PE information: section name: .pkc
                      Source: DUI70.dll.4.drStatic PE information: section name: .npkda
                      Source: DUI70.dll.4.drStatic PE information: section name: .vhs
                      Source: DUI70.dll.4.drStatic PE information: section name: .iaywj
                      Source: DUI70.dll.4.drStatic PE information: section name: .nasi
                      Source: DUI70.dll.4.drStatic PE information: section name: .zhvprh
                      Source: DUI70.dll.4.drStatic PE information: section name: .yatdsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .njso
                      Source: DUI70.dll.4.drStatic PE information: section name: .lgliat
                      Source: DUI70.dll.4.drStatic PE information: section name: .ntqjh
                      Source: DUI70.dll.4.drStatic PE information: section name: .sucsek
                      Source: DUI70.dll.4.drStatic PE information: section name: .qsxjui
                      Source: DUI70.dll.4.drStatic PE information: section name: .twctcm
                      Source: DUI70.dll.4.drStatic PE information: section name: .nms
                      Source: DUI70.dll.4.drStatic PE information: section name: .ogj
                      Source: DUI70.dll.4.drStatic PE information: section name: .vrkgb
                      Source: DUI70.dll.4.drStatic PE information: section name: .gikfw
                      Source: DUI70.dll.4.drStatic PE information: section name: .ktl
                      Source: DUI70.dll.4.drStatic PE information: section name: .crcn
                      Source: DUI70.dll.4.drStatic PE information: section name: .wtfr
                      Source: DUI70.dll.4.drStatic PE information: section name: .hep
                      Source: DUI70.dll.4.drStatic PE information: section name: .ywg
                      Source: DUI70.dll.4.drStatic PE information: section name: .sqsp
                      Source: DUI70.dll.4.drStatic PE information: section name: .gzb
                      Source: DUI70.dll.4.drStatic PE information: section name: .fatlss
                      Source: DUI70.dll.4.drStatic PE information: section name: .plqa
                      Source: DUI70.dll.4.drStatic PE information: section name: .vzt
                      Source: DUI70.dll.4.drStatic PE information: section name: .dsbyd
                      Source: DUI70.dll.4.drStatic PE information: section name: .cdelc
                      Source: DUI70.dll.4.drStatic PE information: section name: .qkhkj
                      Source: DUI70.dll.4.drStatic PE information: section name: .mnzegr
                      Source: DUI70.dll.4.drStatic PE information: section name: .krw
                      Source: DUI70.dll.4.drStatic PE information: section name: .jvsmn
                      Source: DUI70.dll.4.drStatic PE information: section name: .bygpq
                      Source: DUI70.dll.4.drStatic PE information: section name: .kzdbu
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwxorn
                      Source: DUI70.dll.4.drStatic PE information: section name: .raf
                      Source: DUI70.dll.4.drStatic PE information: section name: .zcyw
                      Source: DUI70.dll.4.drStatic PE information: section name: .zeczh
                      Source: DUI70.dll.4.drStatic PE information: section name: .pvv
                      Source: DUI70.dll.4.drStatic PE information: section name: .lug
                      Source: DUI70.dll.4.drStatic PE information: section name: .ski
                      Source: DUI70.dll.4.drStatic PE information: section name: .japjd
                      Source: DUI70.dll.4.drStatic PE information: section name: .mwtzml
                      Source: DUI70.dll.4.drStatic PE information: section name: .vgssf
                      Source: DUI70.dll.4.drStatic PE information: section name: .gsroye
                      Source: DUI70.dll.4.drStatic PE information: section name: .vcmr
                      Source: DUI70.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: DUI70.dll.4.drStatic PE information: section name: .zlu
                      Source: DUI70.dll.4.drStatic PE information: section name: .nrcvk
                      Source: DUI70.dll.4.drStatic PE information: section name: .pfz
                      Source: DUI70.dll.4.drStatic PE information: section name: .hxz
                      Source: DUI70.dll.4.drStatic PE information: section name: .snjrs
                      Source: DUI70.dll.4.drStatic PE information: section name: .bffts
                      Source: DUI70.dll.4.drStatic PE information: section name: .oqqo
                      Source: DUI70.dll.4.drStatic PE information: section name: .ancqi
                      Source: DUI70.dll.4.drStatic PE information: section name: .wnpyu
                      Source: DUI70.dll.4.drStatic PE information: section name: .eflx
                      Source: DUI70.dll.4.drStatic PE information: section name: .mjql
                      Source: DUI70.dll.4.drStatic PE information: section name: .drmed
                      Source: DUI70.dll.4.drStatic PE information: section name: .ilct
                      Source: credui.dll.4.drStatic PE information: section name: .vxl
                      Source: credui.dll.4.drStatic PE information: section name: .qwubgr
                      Source: credui.dll.4.drStatic PE information: section name: .eer
                      Source: credui.dll.4.drStatic PE information: section name: .xwwauf
                      Source: credui.dll.4.drStatic PE information: section name: .pkc
                      Source: credui.dll.4.drStatic PE information: section name: .npkda
                      Source: credui.dll.4.drStatic PE information: section name: .vhs
                      Source: credui.dll.4.drStatic PE information: section name: .iaywj
                      Source: credui.dll.4.drStatic PE information: section name: .nasi
                      Source: credui.dll.4.drStatic PE information: section name: .zhvprh
                      Source: credui.dll.4.drStatic PE information: section name: .yatdsp
                      Source: credui.dll.4.drStatic PE information: section name: .njso
                      Source: credui.dll.4.drStatic PE information: section name: .lgliat
                      Source: credui.dll.4.drStatic PE information: section name: .ntqjh
                      Source: credui.dll.4.drStatic PE information: section name: .sucsek
                      Source: credui.dll.4.drStatic PE information: section name: .qsxjui
                      Source: credui.dll.4.drStatic PE information: section name: .twctcm
                      Source: credui.dll.4.drStatic PE information: section name: .nms
                      Source: credui.dll.4.drStatic PE information: section name: .ogj
                      Source: credui.dll.4.drStatic PE information: section name: .vrkgb
                      Source: credui.dll.4.drStatic PE information: section name: .gikfw
                      Source: credui.dll.4.drStatic PE information: section name: .ktl
                      Source: credui.dll.4.drStatic PE information: section name: .crcn
                      Source: credui.dll.4.drStatic PE information: section name: .wtfr
                      Source: credui.dll.4.drStatic PE information: section name: .hep
                      Source: credui.dll.4.drStatic PE information: section name: .ywg
                      Source: credui.dll.4.drStatic PE information: section name: .sqsp
                      Source: credui.dll.4.drStatic PE information: section name: .gzb
                      Source: credui.dll.4.drStatic PE information: section name: .fatlss
                      Source: credui.dll.4.drStatic PE information: section name: .plqa
                      Source: credui.dll.4.drStatic PE information: section name: .vzt
                      Source: credui.dll.4.drStatic PE information: section name: .dsbyd
                      Source: credui.dll.4.drStatic PE information: section name: .cdelc
                      Source: credui.dll.4.drStatic PE information: section name: .qkhkj
                      Source: credui.dll.4.drStatic PE information: section name: .mnzegr
                      Source: credui.dll.4.drStatic PE information: section name: .krw
                      Source: credui.dll.4.drStatic PE information: section name: .jvsmn
                      Source: credui.dll.4.drStatic PE information: section name: .bygpq
                      Source: credui.dll.4.drStatic PE information: section name: .kzdbu
                      Source: credui.dll.4.drStatic PE information: section name: .mwxorn
                      Source: credui.dll.4.drStatic PE information: section name: .raf
                      Source: credui.dll.4.drStatic PE information: section name: .zcyw
                      Source: credui.dll.4.drStatic PE information: section name: .zeczh
                      Source: credui.dll.4.drStatic PE information: section name: .pvv
                      Source: credui.dll.4.drStatic PE information: section name: .lug
                      Source: credui.dll.4.drStatic PE information: section name: .ski
                      Source: credui.dll.4.drStatic PE information: section name: .japjd
                      Source: credui.dll.4.drStatic PE information: section name: .mwtzml
                      Source: credui.dll.4.drStatic PE information: section name: .vgssf
                      Source: credui.dll.4.drStatic PE information: section name: .gsroye
                      Source: credui.dll.4.drStatic PE information: section name: .vcmr
                      Source: credui.dll.4.drStatic PE information: section name: .kvjqnl
                      Source: credui.dll.4.drStatic PE information: section name: .zlu
                      Source: credui.dll.4.drStatic PE information: section name: .nrcvk
                      Source: credui.dll.4.drStatic PE information: section name: .pfz
                      Source: credui.dll.4.drStatic PE information: section name: .hxz
                      Source: credui.dll.4.drStatic PE information: section name: .snjrs
                      Source: credui.dll.4.drStatic PE information: section name: .bffts
                      Source: credui.dll.4.drStatic PE information: section name: .oqqo
                      Source: credui.dll.4.drStatic PE information: section name: .ancqi
                      Source: credui.dll.4.drStatic PE information: section name: .wnpyu
                      Source: credui.dll.4.drStatic PE information: section name: .eflx
                      Source: credui.dll.4.drStatic PE information: section name: .mjql
                      Source: credui.dll.4.drStatic PE information: section name: .drmed
                      Source: credui.dll.4.drStatic PE information: section name: .hhviua
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vxl
                      Source: DUI70.dll0.4.drStatic PE information: section name: .qwubgr
                      Source: DUI70.dll0.4.drStatic PE information: section name: .eer
                      Source: DUI70.dll0.4.drStatic PE information: section name: .xwwauf
                      Source: DUI70.dll0.4.drStatic PE information: section name: .pkc
                      Source: DUI70.dll0.4.drStatic PE information: section name: .npkda
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vhs
                      Source: DUI70.dll0.4.drStatic PE information: section name: .iaywj
                      Source: DUI70.dll0.4.drStatic PE information: section name: .nasi
                      Source: DUI70.dll0.4.drStatic PE information: section name: .zhvprh
                      Source: DUI70.dll0.4.drStatic PE information: section name: .yatdsp
                      Source: DUI70.dll0.4.drStatic PE information: section name: .njso
                      Source: DUI70.dll0.4.drStatic PE information: section name: .lgliat
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ntqjh
                      Source: DUI70.dll0.4.drStatic PE information: section name: .sucsek
                      Source: DUI70.dll0.4.drStatic PE information: section name: .qsxjui
                      Source: DUI70.dll0.4.drStatic PE information: section name: .twctcm
                      Source: DUI70.dll0.4.drStatic PE information: section name: .nms
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ogj
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vrkgb
                      Source: DUI70.dll0.4.drStatic PE information: section name: .gikfw
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ktl
                      Source: DUI70.dll0.4.drStatic PE information: section name: .crcn
                      Source: DUI70.dll0.4.drStatic PE information: section name: .wtfr
                      Source: DUI70.dll0.4.drStatic PE information: section name: .hep
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ywg
                      Source: DUI70.dll0.4.drStatic PE information: section name: .sqsp
                      Source: DUI70.dll0.4.drStatic PE information: section name: .gzb
                      Source: DUI70.dll0.4.drStatic PE information: section name: .fatlss
                      Source: DUI70.dll0.4.drStatic PE information: section name: .plqa
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vzt
                      Source: DUI70.dll0.4.drStatic PE information: section name: .dsbyd
                      Source: DUI70.dll0.4.drStatic PE information: section name: .cdelc
                      Source: DUI70.dll0.4.drStatic PE information: section name: .qkhkj
                      Source: DUI70.dll0.4.drStatic PE information: section name: .mnzegr
                      Source: DUI70.dll0.4.drStatic PE information: section name: .krw
                      Source: DUI70.dll0.4.drStatic PE information: section name: .jvsmn
                      Source: DUI70.dll0.4.drStatic PE information: section name: .bygpq
                      Source: DUI70.dll0.4.drStatic PE information: section name: .kzdbu
                      Source: DUI70.dll0.4.drStatic PE information: section name: .mwxorn
                      Source: DUI70.dll0.4.drStatic PE information: section name: .raf
                      Source: DUI70.dll0.4.drStatic PE information: section name: .zcyw
                      Source: DUI70.dll0.4.drStatic PE information: section name: .zeczh
                      Source: DUI70.dll0.4.drStatic PE information: section name: .pvv
                      Source: DUI70.dll0.4.drStatic PE information: section name: .lug
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ski
                      Source: DUI70.dll0.4.drStatic PE information: section name: .japjd
                      Source: DUI70.dll0.4.drStatic PE information: section name: .mwtzml
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vgssf
                      Source: DUI70.dll0.4.drStatic PE information: section name: .gsroye
                      Source: DUI70.dll0.4.drStatic PE information: section name: .vcmr
                      Source: DUI70.dll0.4.drStatic PE information: section name: .kvjqnl
                      Source: DUI70.dll0.4.drStatic PE information: section name: .zlu
                      Source: DUI70.dll0.4.drStatic PE information: section name: .nrcvk
                      Source: DUI70.dll0.4.drStatic PE information: section name: .pfz
                      Source: DUI70.dll0.4.drStatic PE information: section name: .hxz
                      Source: DUI70.dll0.4.drStatic PE information: section name: .snjrs
                      Source: DUI70.dll0.4.drStatic PE information: section name: .bffts
                      Source: DUI70.dll0.4.drStatic PE information: section name: .oqqo
                      Source: DUI70.dll0.4.drStatic PE information: section name: .ancqi
                      Source: DUI70.dll0.4.drStatic PE information: section name: .wnpyu
                      Source: DUI70.dll0.4.drStatic PE information: section name: .eflx
                      Source: DUI70.dll0.4.drStatic PE information: section name: .mjql
                      Source: DUI70.dll0.4.drStatic PE information: section name: .drmed
                      Source: DUI70.dll0.4.drStatic PE information: section name: .wfyzc
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0704858 LoadLibraryW,GetProcAddress,FreeLibrary,
                      Source: DmNotificationBroker.exe.4.drStatic PE information: 0xF8A808F8 [Tue Mar 14 06:45:12 2102 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\WRsLe\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\daH0n9\credui.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\daH0n9\WFS.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pEcAZnNU3\DUI70.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exeJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06F4CD4 FindWindowW,#2906,SetForegroundWindow,SendMessageW,GetCommandLineW,memset,IsWindowVisible,#4124,GetLastError,SetForegroundWindow,SendMessageW,#6610,GetLastError,#6632,IsWindowVisible,PostMessageW,GetLastActivePopup,#2906,IsIconic,#6632,SetForegroundWindow,PostMessageW,PostMessageW,PostMessageW,
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exe TID: 5632Thread sleep count: 31 > 30
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B445649C rdtsc
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeAPI coverage: 6.4 %
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeAPI coverage: 0.1 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6471DDC0 GetSystemInfo,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC6471ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4464518 PathAppendW,FindFirstFileW,PathAppendW,GetLastError,PathFindExtensionW,StrCmpICW,FindNextFileW,FindClose,GetLastError,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FFC669CED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FFC6697ED10 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07071B0 #626,memset,#6887,#1122,#1287,FindFirstFileW,GetLastError,#6886,#1122,#1287,#1287,#624,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,SendMessageW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07389BC wcscpy_s,wcscat_s,FindFirstFileW,_wcsicmp,FindNextFileW,GetLastError,FindClose,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0705B40 #626,#626,memset,memset,#6887,#620,#1122,#1040,#1287,FindFirstFileW,GetLastError,#6886,#620,#1122,#1040,#1287,#1287,#620,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,GetLastError,FindClose,#6887,#1040,#1040,SendMessageW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07230D8 SendMessageW,GetLastError,wcschr,#626,#2846,FindFirstFileW,GetLastError,#1040,#626,memset,GetLastError,ReadFile,GetLastError,CloseHandle,FindNextFileW,GetLastError,FindClose,GetLastError,#1040,CloseHandle,SendMessageW,#4262,#640,#1122,#1040,#6395,#6395,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E06FF0AC GetTempPathW,GetLastError,wcsrchr,_wcsnset,GetCurrentProcessId,FindFirstFileW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,FindClose,
                      Source: explorer.exe, 00000004.00000000.276254319.0000000008153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000004.00000000.335839372.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
                      Source: explorer.exe, 00000004.00000000.343329822.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
                      Source: explorer.exe, 00000004.00000000.343361279.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
                      Source: explorer.exe, 00000004.00000000.331399328.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000004.00000000.269868988.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                      Source: explorer.exe, 00000004.00000000.276452579.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000004.00000000.276254319.0000000008153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000004.00000000.276484817.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4451AC8 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0704858 LoadLibraryW,GetProcAddress,FreeLibrary,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4453468 WaitForSingleObjectEx,GetLastError,CloseHandle,SetLastError,GetLastError,CloseHandle,SetLastError,GetLastError,ReleaseMutex,SetLastError,GetProcessHeap,HeapFree,ReleaseMutex,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B445649C rdtsc
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC647097D0 LdrLoadDll,FindClose,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B4465460 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B44651B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FF793F62780 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FF793F62AB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07548F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E0754CF0 SetUnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Windows\explorer.exeFile created: WINMM.dll.4.drJump to dropped file
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exe
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E073D58C memset,memset,CredUIParseUserNameW,LogonUserW,GetLastError,DuplicateToken,GetLastError,CloseHandle,
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Source: explorer.exe, 00000004.00000000.298751933.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.321239545.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.343343863.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
                      Source: explorer.exe, 00000004.00000000.335577831.0000000008153000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.306264375.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000004.00000000.299603676.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.267032730.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.321326360.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
                      Source: explorer.exe, 00000004.00000000.343771520.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.300542154.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.267257987.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: GetLocaleInfoEx,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: #1568,GetLocaleInfoW,GetLastError,#1471,PostMessageW,#1567,#626,#2846,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: #2846,GetNumberFormatW,GetLastError,GetLocaleInfoW,GetLastError,wcsstr,memset,#2846,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,free,
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exeCode function: 18_2_00007FF7B44655F0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\daH0n9\WFS.exeCode function: 25_2_00007FF7E07243D0 memset,memset,memset,memset,#626,#626,GetVersion,GetOpenFileNameW,#624,#624,#1040,#1040,#1040,#1040,
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC64709400 GetUserNameW,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FF793F621B8 RpcBindingCreateW,RpcBindingBind,NdrClientCall3,RpcBindingFree,
                      Source: C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exeCode function: 21_2_00007FF793F622F0 RpcBindingFree,
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts
                      2
                      Native API
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      1
                      Deobfuscate/Decode Files or Information
                      1
                      Credential API Hooking
                      1
                      System Time Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium2
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Exploitation for Client Execution
                      1
                      Valid Accounts
                      1
                      Valid Accounts
                      3
                      Obfuscated Files or Information
                      LSASS Memory1
                      Account Discovery
                      Remote Desktop Protocol1
                      Credential API Hooking
                      Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Command and Scripting Interpreter
                      Logon Script (Windows)1
                      Access Token Manipulation
                      2
                      Software Packing
                      Security Account Manager1
                      File and Directory Discovery
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)312
                      Process Injection
                      1
                      Timestomp
                      NTDS25
                      System Information Discovery
                      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading
                      LSA Secrets31
                      Security Software Discovery
                      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Rootkit
                      Cached Domain Credentials1
                      Virtualization/Sandbox Evasion
                      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Masquerading
                      DCSync3
                      Process Discovery
                      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Valid Accounts
                      Proc Filesystem1
                      Application Window Discovery
                      Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Virtualization/Sandbox Evasion
                      /etc/passwd and /etc/shadow1
                      System Owner/User Discovery
                      Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Access Token Manipulation
                      Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron312
                      Process Injection
                      Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
                      Rundll32
                      KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 595323 Sample: elBAfme5gQ Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 2 43 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\credui.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\WRsLe\DUI70.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WINMM.dll, PE32+ 19->37 dropped 39 5 other files (none is malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 PresentationSettings.exe 19->25         started        27 DmNotificationBroker.exe 19->27         started        29 DmNotificationBroker.exe 19->29         started        31 7 other processes 19->31 signatures8 process9

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      elBAfme5gQ.dll63%VirustotalBrowse
                      elBAfme5gQ.dll66%MetadefenderBrowse
                      elBAfme5gQ.dll88%ReversingLabsWin64.Trojan.Occamy
                      elBAfme5gQ.dll100%AviraTR/Crypt.XPACK.Gen7
                      elBAfme5gQ.dll100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\WRsLe\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\daH0n9\credui.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\WRsLe\DUI70.dll100%AviraTR/Crypt.XPACK.Gen4
                      C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\WRsLe\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\daH0n9\credui.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\WRsLe\DUI70.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\A3MiXbeK\WINMM.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe0%ReversingLabs
                      SourceDetectionScannerLabelLinkDownload
                      31.2.DmNotificationBroker.exe.25ea0a40000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.WFS.exe.20e998e0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      6.2.rundll32.exe.20ea8c10000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      2.2.rundll32.exe.1e683d50000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      0.2.loaddll64.exe.1c6c38c0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.18b9c500000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      18.2.PresentationSettings.exe.7ffc66970000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.1da43850000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      21.2.DmNotificationBroker.exe.1f554500000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.WFS.exe.7ffc66970000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.7ffc646c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.7ffc646c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.PresentationSettings.exe.173c4f40000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      31.2.DmNotificationBroker.exe.7ffc67880000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.7ffc646c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.rundll32.exe.7ffc646c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.DmNotificationBroker.exe.7ffc66920000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll64.exe.7ffc646c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      No Antivirus matches
                      No Antivirus matches
                      No contacted domains info
                      No contacted IP infos
                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:595323
                      Start date and time:2022-03-23 15:03:08 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 15m 14s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:elBAfme5gQ (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:35
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@31/9@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 25.6% (good quality ratio 16.8%)
                      • Quality average: 44.6%
                      • Quality standard deviation: 38.9%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      No simulations
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):222208
                      Entropy (8bit):6.618425906220987
                      Encrypted:false
                      SSDEEP:3072:dklO/b97taQPr5pT8as3lJwvkAarSvDZpFB+2xmh0QSoKKBlKxyAZEHA:Oo/b1txPlh8I+rUts2xmhfGKraEH
                      MD5:76086DD04B6760277A2B897345A0B457
                      SHA1:DC65093DB601FE7AA2F4C0C400D18F43DA92DCFA
                      SHA-256:BF492302281E3CD4F023FB54E101D8C3BD00FFEAFF75B5D7FE0C1CA43F291A81
                      SHA-512:6528C86BA0272274A907F8559DFD79C55D1A6BAF3A4545EF3F6CDC4C790CC9FBDB7A3A8A2E72D0ED39651975DF5967608111448D1351BDC659E8F0F5E8C72442
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.".>.q.>.q.>.q.F~q.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.Z.p.>.q.>.q/>.q.Z.p.>.q.Z.q.>.q.Z.p.>.qRich.>.q........PE..d... ..8.........."......J... ...... O.........@.....................................9....`.......... ..........................................................x.......................T............................a...............b...............................text....H.......J.................. ..`.rdata...]...`...^...N..............@..@.data...H...........................@....pdata..x...........................@..@.rsrc...............................@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1429504
                      Entropy (8bit):4.925425107744081
                      Encrypted:false
                      SSDEEP:12288:xZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:xZK6F7n5eRmDFJivohZFV
                      MD5:37B80DA01055C6036ABE9D98E2EEF1B8
                      SHA1:844CA9FADA6210A0CD67E24257B49D8BCF217DAA
                      SHA-256:EC8D39D3F13C11B6C259591469742E56ACB4D72BE5E48E929B53F021BEB8F36E
                      SHA-512:A3951AC7C775BA9358E84C3636E18D43B9E88553C5866E295FF25EB35A7067A7AEEE6B34FDCAB0277CC1531469845F77F28051F1B1260C02B0703DB3CCAED11F
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................h...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1708032
                      Entropy (8bit):5.373706741928563
                      Encrypted:false
                      SSDEEP:12288:xZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwP3WN/0138:xZK6F7n5eRmDFJivohZFVPWNW
                      MD5:ECEB1D6165AEE8F6644397DF9F126839
                      SHA1:87D4E499BF3DFEC6E30A698CE3E05AC0E34DC7D8
                      SHA-256:F5136D89F200A1FD6B7DA976CBBF1DB66661381EA8C044C4FB0C55239F4ED3FC
                      SHA-512:102C7642D267A302EEF694F8156ABE5447140C950404FC01F261C6B317CD5ED784759120D52D2CB79BE14496EBB0EE00333F41FD31D6A6D6651417AE17648C2B
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):32256
                      Entropy (8bit):5.250876383836324
                      Encrypted:false
                      SSDEEP:768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
                      MD5:1643D5735213BC89C0012F0E48253765
                      SHA1:D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
                      SHA-256:4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
                      SHA-512:F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d................."......*...V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(.......*.................. ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):930304
                      Entropy (8bit):5.99262413442194
                      Encrypted:false
                      SSDEEP:12288:YVpcWBIX7oU/HEx5a/DTROFJTl7XjY5uUMUd1vLf1k+xt4vFe:spnBUoR5AfREllTjY5umjz1ivFe
                      MD5:CD6ACF3B997099B6CFB2417D3942F755
                      SHA1:7376A8000CB7B5CE0F5DA783BAF9F9C2C36F1670
                      SHA-256:B699695F47AA8E8B70A21267BA1648B59B33BD677E29D334BC73EBB1A4B81F3E
                      SHA-512:F301F0D87CB5FFFFB88AB0B86035DA7705DED1121107D2FDF7A9132F8DFBDEFFAFBE452E3BC7ACEAD1A0E368815127942B2E642B214EA83D90E97B015C766DE0
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OR...3.,.3.,.3.,dW.-.3.,dW.-.3.,dW.-.3.,dW.-$3.,.3.,o7.,dW.-q3.,dW.,.3.,dW.-.3.,Rich.3.,................PE..d...d.D..........."..................F.........@..........................................`.......... .......................................`.......0...%......@A...........`..D ..`@..T....................Y..(... ................Y..8... W.......................text...2........................... ..`.rdata..............................@..@.data..../....... ..................@....pdata..@A.......B..................@..@.didat....... ......................@....rsrc....%...0...&..................@..@.reloc..D ...`..."..................@..B................................................................................................................................................................................................................................
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.919681432675964
                      Encrypted:false
                      SSDEEP:12288:RZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:RZK6F7n5eRmDFJivohZFV
                      MD5:FFCCCB5ECF191C6B30DC3F0C3D5C4238
                      SHA1:8F3620F81C7A59A7B0C59AD20DCF82FF53F78996
                      SHA-256:3F164C230BB5416C66713A3D03B5374C55EE85A1E3D97BB7663818AF719ABB87
                      SHA-512:22523EA25E9927211ADC02123EEC2F86C5FB66A79F9C262D7EA3ABBE8A0C4A7FAACAB3FF0713033A1812D8465B32B352F2D73EA4839C4F0B23A615A8EE82894D
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1708032
                      Entropy (8bit):5.373867229558349
                      Encrypted:false
                      SSDEEP:12288:YZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw6aN/0138:YZK6F7n5eRmDFJivohZFVLNW
                      MD5:F1ABEB8232250B108AC5E4BA8F9795CC
                      SHA1:A7E6D97B7B192E2D570061DD416DB45D8DD5F9D6
                      SHA-256:314A8F8EBF9905FFDEE0BD9BEBB3EA6D08AACC22305B3A7D518022D4B512042D
                      SHA-512:6D4558AFABA5359438F67A7E416426E54CACF4D356D8911E0FBA6EAD47F2DF561B8092AAA1CFB154B0BD25F87BED44C467D8981D7CDF21C3BAF19E57878DDF6F
                      Malicious:false
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):32256
                      Entropy (8bit):5.250876383836324
                      Encrypted:false
                      SSDEEP:768:ghunFhykO4aAvnsvpzte5+Ql0/iqmjjn:58kO4asshu+Q+/Ojjn
                      MD5:1643D5735213BC89C0012F0E48253765
                      SHA1:D076D701929F1F269D34C8FD7BD1BAB4DAF42A9D
                      SHA-256:4176FA24D56BB870316D07BD7211BC8A797394F77DCC12B35FFEBAA0326525D2
                      SHA-512:F0BD45FE66EDC6F615C0125C1AE81E657CA26544544769651AB0623DD3C724F96D9D78835EF6B1D15083D1BB9D501F6DC48487DDA5C361CAFA96022D5F33A43F
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.?H..lH..lH..lAs.lT..l'o.mJ..l'o.m[..lH..l...l'o.mC..l'o.mA..l'o.mA..l'ohlI..l'o.mI..lRichH..l........................PE..d................."......*...V.......&.........@....................................n3............... .......................................x.......... ...........................Po..T............................]...............^..p............................text....(.......*.................. ..`.imrsiv......@...........................rdata..P8...P...:..................@..@.data...(............h..............@....pdata...............j..............@..@.rsrc... ............n..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................
                      Process:C:\Windows\explorer.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1450
                      Entropy (8bit):7.333126465225537
                      Encrypted:false
                      SSDEEP:24:URrWQXgUcjg2eNTXpQutJeZwztuBZFRydqukcVq1b2t+Oq1pUWcgouzr4bhm2rf1:URkUc8PNDOZwJu9yqsw1bOwf7cbu/GH1
                      MD5:05221058F2A6FC026C52AB5D3DF5A8ED
                      SHA1:AA9A4864BFC81C855A884B05157129ACC36F6883
                      SHA-256:094C4EB0EF4FB9F35A6E0BDF504E80C37FBDDA9736F587E1A0C60579D62F9610
                      SHA-512:18CF3230240F1684C5F3BC524D8AB6CE11A274BC78C5FF4F048B25FECFCF3F69A8E4369F1E7E118023C89B964A8B43F58473D33F8150100F6F1A23DAFFD48003
                      Malicious:false
                      Preview:........................................user.....................RSA1.................z".n...5.....V#..pd).jS..&..d..../S.....1b....Xa~.].....G....w-X.Y3...m.D.jA..0q..>Y........$.U"...&...I.5.......t...ya.C.E......................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ........s.+..#.h*u....R.=.e8.y.............. ....;`.....H.......*qY`....O^.....`.....VB.:.......l.W..cD...=$...?........V...D..$.4<......AE..v]Z..Xz.:.L...'.d...9.....9..^...#..H.Y....o...@.k.#.z.VT.j?.7/Dp.. .U.[.i...m..J..?..l.,..Y..0..{;&..Lhow...>W..C..y..9h..t.Dh..!..U./..N.xK..<.............Xg..L..NB....P)Gh-z..t5>J.......J.7..j.E.2..L....(.N..$...e0.[."<.S..I...]z...M..4t............C].......Z.s..v (.\:.....Z1$....I.6zm$)I."3..)..=X..T.<.......pKHD\....!....Hf.....>.(t.t..t..O.G.......74Xz.id.:l..1xu.7M.I.=9.v...Fs..~.U9'....6.%Bf..X..6....E....;..y..H.O..Z...~..l...tdQ.,.cta....|_.^.8t.."..=.y..a..ii....Wk!bT.9.'&..^...lq..5.....
                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):4.927389050456392
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:elBAfme5gQ.dll
                      File size:1421312
                      MD5:ca7c6f265e4bc09e6d9d0b2b6234e8b3
                      SHA1:1720aadb4965df64ee40d32957ee6080500639b2
                      SHA256:a8f566b8d2d9f9a418211039cb76552d460f83195d519a89313a880ead9bd4a4
                      SHA512:d7ab70fc544e2ab4354ad7dfc502eaf37f46e8c62bf7e74421b02cee78fe3cefbaf7347c4def1dc728649563fc6e61cb5463558c94fd5494ddf672145a347f3e
                      SSDEEP:12288:6ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:6ZK6F7n5eRmDFJivohZFV
                      File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb
                      Icon Hash:74f0e4ecccdce0e4
                      Entrypoint:0x1400424b0
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2
                      Instruction
                      dec eax
                      mov dword ptr [00070639h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFF2F2h]
                      dec esp
                      mov dword ptr [0007064Bh], eax
                      dec esp
                      mov dword ptr [00070654h], edi
                      dec esp
                      mov dword ptr [00070655h], esi
                      dec eax
                      xor eax, eax
                      dec eax
                      inc eax
                      dec eax
                      add ecx, eax
                      dec esp
                      mov dword ptr [00070655h], esp
                      dec eax
                      dec ecx
                      dec eax
                      mov dword ptr [00070653h], esi
                      dec eax
                      test eax, eax
                      je 00007FEBE0AD2DCDh
                      dec eax
                      mov dword ptr [0007060Fh], esp
                      dec eax
                      mov dword ptr [00070600h], ebp
                      dec eax
                      mov dword ptr [00070649h], ebx
                      dec eax
                      mov dword ptr [0007063Ah], edi
                      dec eax
                      test eax, eax
                      je 00007FEBE0AD2DACh
                      dec esp
                      mov dword ptr [000705FEh], ecx
                      dec esp
                      mov dword ptr [0007060Fh], ebp
                      dec eax
                      mov dword ptr [000705D0h], edx
                      jmp ecx
                      dec eax
                      add edi, ecx
                      retn 0008h
                      ud2
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push esi
                      dec eax
                      sub esp, 00000080h
                      dec eax
                      mov dword ptr [esp+78h], 58225FC8h
                      mov dword ptr [esp+60h], 2DFAE652h
                      mov al, byte ptr [esp+77h]
                      mov dl, al
                      add dl, FFFFFF85h
                      mov byte ptr [esp+77h], dl
                      mov word ptr [esp+5Eh], 3327h
                      dec esp
                      mov eax, dword ptr [esp+78h]
                      inc esp
                      mov ecx, dword ptr [esp+64h]
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x15a0100x12e.drmed
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x430000x66fe70x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gsroye0x1480000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vcmr0x14a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kvjqnl0x14b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zlu0x14c0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nrcvk0x14d0000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pfz0x14e0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hxz0x1500000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .snjrs0x1520000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bffts0x1530000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .oqqo0x1550000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ancqi0x1560000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wnpyu0x1570000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .eflx0x1580000x3ba0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mjql0x1590000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .drmed0x15a0000x13e0x1000False0.046142578125data0.651345168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountry
                      RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                      RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States
                      DLLImport
                      ADVAPI32.dllGetServiceDisplayNameW
                      KERNEL32.dllLoadLibraryA, HeapUnlock
                      NameOrdinalAddress
                      CreateXmlReader10x14001f0f0
                      CreateXmlReaderInputWithEncodingCodePage20x1400146c8
                      CreateXmlReaderInputWithEncodingName30x1400251b8
                      CreateXmlWriter40x140024134
                      CreateXmlWriterOutputWithEncodingCodePage50x14003ab88
                      CreateXmlWriterOutputWithEncodingName60x140039890
                      DescriptionData
                      LegalCopyright Microsoft Corporation. All rights
                      InternalNamedpnhup
                      FileVersion1.56
                      CompanyNameMicrosoft C
                      ProductNameSysinternals Streams
                      ProductVersion6.1
                      FileDescriptionThai K
                      OriginalFilenamedpnhupnp.d
                      Translation0x0409 0x04b0
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      No network behavior found

                      Code Manipulations

                      Function NameHook TypeActive in Processes
                      ZwSetEventINLINEexplorer.exe
                      RtlAllocateMemoryBlockLookasideINLINEexplorer.exe
                      RtlAllocateMemoryZoneINLINEexplorer.exe
                      NtSetEventINLINEexplorer.exe
                      Function NameHook TypeNew Data
                      ZwSetEventINLINE0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
                      RtlAllocateMemoryBlockLookasideINLINE0x28 0x84 0x48 0x88 0x8D 0xD4
                      RtlAllocateMemoryZoneINLINE0x5C 0xC2 0x24 0x43 0x38 0x84
                      NtSetEventINLINE0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

                      Click to jump to process

                      Target ID:0
                      Start time:16:05:13
                      Start date:23/03/2022
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\elBAfme5gQ.dll"
                      Imagebase:0x7ff72c750000
                      File size:140288 bytes
                      MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.285761236.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:moderate

                      Target ID:1
                      Start time:16:05:14
                      Start date:23/03/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Imagebase:0x7ff753e60000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:2
                      Start time:16:05:14
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReader
                      Imagebase:0x7ff73c5c0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.382683427.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:3
                      Start time:16:05:14
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\elBAfme5gQ.dll",#1
                      Imagebase:0x7ff73c5c0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.265252224.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:4
                      Start time:16:05:17
                      Start date:23/03/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6b8cf0000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Target ID:5
                      Start time:16:05:18
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingCodePage
                      Imagebase:0x7ff73c5c0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.271180425.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:6
                      Start time:16:05:21
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\elBAfme5gQ.dll,CreateXmlReaderInputWithEncodingName
                      Imagebase:0x7ff73c5c0000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.279312817.00007FFC646C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      Target ID:17
                      Start time:16:06:14
                      Start date:23/03/2022
                      Path:C:\Windows\System32\PresentationSettings.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\PresentationSettings.exe
                      Imagebase:0x7ff603330000
                      File size:222208 bytes
                      MD5 hash:76086DD04B6760277A2B897345A0B457
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Target ID:18
                      Start time:16:06:16
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\A3MiXbeK\PresentationSettings.exe
                      Imagebase:0x7ff7b4450000
                      File size:222208 bytes
                      MD5 hash:76086DD04B6760277A2B897345A0B457
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.417833376.00007FFC66971000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      • Detection: 0%, Metadefender, Browse
                      • Detection: 0%, ReversingLabs
                      Reputation:moderate

                      Target ID:19
                      Start time:16:06:28
                      Start date:23/03/2022
                      Path:C:\Windows\System32\DmNotificationBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\DmNotificationBroker.exe
                      Imagebase:0x7ff698c80000
                      File size:32256 bytes
                      MD5 hash:1643D5735213BC89C0012F0E48253765
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Target ID:21
                      Start time:16:06:34
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\WRsLe\DmNotificationBroker.exe
                      Imagebase:0x7ff793f60000
                      File size:32256 bytes
                      MD5 hash:1643D5735213BC89C0012F0E48253765
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000015.00000002.455715001.00007FFC66921000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security

                      Target ID:24
                      Start time:16:06:45
                      Start date:23/03/2022
                      Path:C:\Windows\System32\WFS.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WFS.exe
                      Imagebase:0x7ff66bd70000
                      File size:930304 bytes
                      MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Target ID:25
                      Start time:16:06:47
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\daH0n9\WFS.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\daH0n9\WFS.exe
                      Imagebase:0x7ff7e06f0000
                      File size:930304 bytes
                      MD5 hash:CD6ACF3B997099B6CFB2417D3942F755
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.489503728.00007FFC66971000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security

                      Target ID:30
                      Start time:16:07:01
                      Start date:23/03/2022
                      Path:C:\Windows\System32\DmNotificationBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\DmNotificationBroker.exe
                      Imagebase:0x7ff698c80000
                      File size:32256 bytes
                      MD5 hash:1643D5735213BC89C0012F0E48253765
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Target ID:31
                      Start time:16:07:07
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\pEcAZnNU3\DmNotificationBroker.exe
                      Imagebase:0x7ff6dc630000
                      File size:32256 bytes
                      MD5 hash:1643D5735213BC89C0012F0E48253765
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.529541082.00007FFC67881000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security

                      Target ID:32
                      Start time:16:07:20
                      Start date:23/03/2022
                      Path:C:\Windows\System32\wusa.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wusa.exe
                      Imagebase:0x7ff7378d0000
                      File size:308736 bytes
                      MD5 hash:04CE745559916B99248F266BBF5F9ED9
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      Target ID:33
                      Start time:16:07:21
                      Start date:23/03/2022
                      Path:C:\Windows\System32\SystemSettingsRemoveDevice.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\system32\SystemSettingsRemoveDevice.exe
                      Imagebase:0xe00000
                      File size:39304 bytes
                      MD5 hash:87AF711D6518C0CF91560D7C98301BBB
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language

                      No disassembly