Windows Analysis Report
mpXUd364Rz

Overview

General Information

Sample Name: mpXUd364Rz (renamed file extension from none to dll)
Analysis ID: 595330
MD5: 76a03b741a85be73b47b1a72cea1becb
SHA1: f453704ee0177d5771766870bc871e7c048a6c61
SHA256: 7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mpXUd364Rz.dll Virustotal: Detection: 64% Perma Link
Source: mpXUd364Rz.dll Metadefender: Detection: 62% Perma Link
Source: mpXUd364Rz.dll ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: mpXUd364Rz.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: mpXUd364Rz.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C19E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError, 20_2_00007FF77C19E934
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C19E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset, 20_2_00007FF77C19E64C
Source: mpXUd364Rz.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE202ED10 FindFirstFileExW, 1_2_00007FFFE202ED10
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF99ED10 FindFirstFileExW, 20_2_00007FFFEF99ED10
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA, 23_2_00007FF700CD5A08
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose, 23_2_00007FF700CD2164
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA, 23_2_00007FF700CD5518
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 25_2_00007FF78E551EC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D1ED10 FindFirstFileExW, 25_2_00007FFFF6D1ED10
Source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 8.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.FileHistory.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.wextract.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.iexpress.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.iexpress.exe.7fffef940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.MDMAppInstaller.exe.7fffef940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.sppsvc.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll64.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
PE file contains section with special chars
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E55297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 25_2_00007FF78E55297C
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 25_2_00007FF78E551B10
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE201CA50 1_2_00007FFFE201CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE200AA70 1_2_00007FFFE200AA70
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE201A2C0 1_2_00007FFFE201A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2005020 1_2_00007FFFE2005020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF7880 1_2_00007FFFE1FF7880
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2023150 1_2_00007FFFE2023150
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20059F0 1_2_00007FFFE20059F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2037650 1_2_00007FFFE2037650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20197D0 1_2_00007FFFE20197D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203D520 1_2_00007FFFE203D520
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE202DDC0 1_2_00007FFFE202DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE200B250 1_2_00007FFFE200B250
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD7A40 1_2_00007FFFE1FD7A40
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203B260 1_2_00007FFFE203B260
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFDAA0 1_2_00007FFFE1FFDAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20382A0 1_2_00007FFFE20382A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203AAA0 1_2_00007FFFE203AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF92C0 1_2_00007FFFE1FF92C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE202F2C0 1_2_00007FFFE202F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2037AF0 1_2_00007FFFE2037AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF82E0 1_2_00007FFFE1FF82E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE200BAE0 1_2_00007FFFE200BAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2032AE0 1_2_00007FFFE2032AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2000300 1_2_00007FFFE2000300
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFA310 1_2_00007FFFE1FFA310
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FDBB20 1_2_00007FFFE1FDBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2001B30 1_2_00007FFFE2001B30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2035B50 1_2_00007FFFE2035B50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF3340 1_2_00007FFFE1FF3340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE8340 1_2_00007FFFE1FE8340
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD5350 1_2_00007FFFE1FD5350
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2004360 1_2_00007FFFE2004360
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2034390 1_2_00007FFFE2034390
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2024BC0 1_2_00007FFFE2024BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE23F0 1_2_00007FFFE1FE23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2039410 1_2_00007FFFE2039410
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E400 1_2_00007FFFE203E400
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE7410 1_2_00007FFFE1FE7410
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2000020 1_2_00007FFFE2000020
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFC030 1_2_00007FFFE1FFC030
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2025840 1_2_00007FFFE2025840
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF5050 1_2_00007FFFE1FF5050
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE201F870 1_2_00007FFFE201F870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE200F870 1_2_00007FFFE200F870
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FED890 1_2_00007FFFE1FED890
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE08B0 1_2_00007FFFE1FE08B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD18D0 1_2_00007FFFE1FD18D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FDB100 1_2_00007FFFE1FDB100
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FEE110 1_2_00007FFFE1FEE110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF3910 1_2_00007FFFE1FF3910
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2006130 1_2_00007FFFE2006130
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2036950 1_2_00007FFFE2036950
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF4140 1_2_00007FFFE1FF4140
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203B960 1_2_00007FFFE203B960
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2009990 1_2_00007FFFE2009990
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD2980 1_2_00007FFFE1FD2980
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFE9A0 1_2_00007FFFE1FFE9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FEE9B0 1_2_00007FFFE1FEE9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF11B0 1_2_00007FFFE1FF11B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF69C0 1_2_00007FFFE1FF69C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20021D0 1_2_00007FFFE20021D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20091F0 1_2_00007FFFE20091F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20089F0 1_2_00007FFFE20089F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFF1F0 1_2_00007FFFE1FFF1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FDDE20 1_2_00007FFFE1FDDE20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD1620 1_2_00007FFFE1FD1620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2020650 1_2_00007FFFE2020650
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE8670 1_2_00007FFFE1FE8670
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD7E80 1_2_00007FFFE1FD7E80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD6E90 1_2_00007FFFE1FD6E90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203A6B0 1_2_00007FFFE203A6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20006A0 1_2_00007FFFE20006A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFF6B0 1_2_00007FFFE1FFF6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2037EC0 1_2_00007FFFE2037EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2030F30 1_2_00007FFFE2030F30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF872B 1_2_00007FFFE1FF872B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF2F50 1_2_00007FFFE1FF2F50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2030770 1_2_00007FFFE2030770
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2035760 1_2_00007FFFE2035760
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FEE770 1_2_00007FFFE1FEE770
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203C780 1_2_00007FFFE203C780
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE204EF80 1_2_00007FFFE204EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD6790 1_2_00007FFFE1FD6790
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE204B7A0 1_2_00007FFFE204B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFE7B0 1_2_00007FFFE1FFE7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE8FC0 1_2_00007FFFE1FE8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FEA7D0 1_2_00007FFFE1FEA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2044FF0 1_2_00007FFFE2044FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF6FE0 1_2_00007FFFE1FF6FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF4800 1_2_00007FFFE1FF4800
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD1010 1_2_00007FFFE1FD1010
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE5420 1_2_00007FFFE1FE5420
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FD5C20 1_2_00007FFFE1FD5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203A490 1_2_00007FFFE203A490
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E494 1_2_00007FFFE203E494
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E49D 1_2_00007FFFE203E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFAC80 1_2_00007FFFE1FFAC80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E48B 1_2_00007FFFE203E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E4B6 1_2_00007FFFE203E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2032CA0 1_2_00007FFFE2032CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E4A6 1_2_00007FFFE203E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203E4AD 1_2_00007FFFE203E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE3CD0 1_2_00007FFFE1FE3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2005CD0 1_2_00007FFFE2005CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2003CF0 1_2_00007FFFE2003CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2000D10 1_2_00007FFFE2000D10
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2001D30 1_2_00007FFFE2001D30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FFD550 1_2_00007FFFE1FFD550
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF3D50 1_2_00007FFFE1FF3D50
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE9D70 1_2_00007FFFE1FE9D70
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FDC5A0 1_2_00007FFFE1FDC5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20025C0 1_2_00007FFFE20025C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE95C0 1_2_00007FFFE1FE95C0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FE65E0 1_2_00007FFFE1FE65E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2002E10 1_2_00007FFFE2002E10
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE1FF3610 1_2_00007FFFE1FF3610
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C19E934 20_2_00007FF77C19E934
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A19D4 20_2_00007FF77C1A19D4
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A49FF 20_2_00007FF77C1A49FF
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C194648 20_2_00007FF77C194648
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C199630 20_2_00007FF77C199630
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C193FAC 20_2_00007FF77C193FAC
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C196BDC 20_2_00007FF77C196BDC
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9897D0 20_2_00007FFFEF9897D0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A7650 20_2_00007FFFEF9A7650
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF99DDC0 20_2_00007FFFEF99DDC0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AD520 20_2_00007FFFEF9AD520
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF975CD0 20_2_00007FFFEF975CD0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF98A2C0 20_2_00007FFFEF98A2C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97BAE0 20_2_00007FFFEF97BAE0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF98CA50 20_2_00007FFFEF98CA50
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97AA70 20_2_00007FFFEF97AA70
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9759F0 20_2_00007FFFEF9759F0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF993150 20_2_00007FFFEF993150
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF975020 20_2_00007FFFEF975020
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF967880 20_2_00007FFFEF967880
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF958FC0 20_2_00007FFFEF958FC0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF95A7D0 20_2_00007FFFEF95A7D0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BB7A0 20_2_00007FFFEF9BB7A0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96E7B0 20_2_00007FFFEF96E7B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF964800 20_2_00007FFFEF964800
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF941010 20_2_00007FFFEF941010
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF966FE0 20_2_00007FFFEF966FE0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9B4FF0 20_2_00007FFFEF9B4FF0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF962F50 20_2_00007FFFEF962F50
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96872B 20_2_00007FFFEF96872B
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A0F30 20_2_00007FFFEF9A0F30
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BEF80 20_2_00007FFFEF9BEF80
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AC780 20_2_00007FFFEF9AC780
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF946790 20_2_00007FFFEF946790
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A5760 20_2_00007FFFEF9A5760
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF95E770 20_2_00007FFFEF95E770
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A0770 20_2_00007FFFEF9A0770
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BBF6F 20_2_00007FFFEF9BBF6F
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A7EC0 20_2_00007FFFEF9A7EC0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9706A0 20_2_00007FFFEF9706A0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96F6B0 20_2_00007FFFEF96F6B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AA6B0 20_2_00007FFFEF9AA6B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF990650 20_2_00007FFFEF990650
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF941620 20_2_00007FFFEF941620
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF94DE20 20_2_00007FFFEF94DE20
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF947E80 20_2_00007FFFEF947E80
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF946E90 20_2_00007FFFEF946E90
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF958670 20_2_00007FFFEF958670
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9595C0 20_2_00007FFFEF9595C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9725C0 20_2_00007FFFEF9725C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF94C5A0 20_2_00007FFFEF94C5A0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF963610 20_2_00007FFFEF963610
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF972E10 20_2_00007FFFEF972E10
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9565E0 20_2_00007FFFEF9565E0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF963D50 20_2_00007FFFEF963D50
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96D550 20_2_00007FFFEF96D550
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF998D20 20_2_00007FFFEF998D20
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF971D30 20_2_00007FFFEF971D30
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BC590 20_2_00007FFFEF9BC590
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF959D70 20_2_00007FFFEF959D70
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF953CD0 20_2_00007FFFEF953CD0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE4AD 20_2_00007FFFEF9AE4AD
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A2CA0 20_2_00007FFFEF9A2CA0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE4A6 20_2_00007FFFEF9AE4A6
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE4B6 20_2_00007FFFEF9AE4B6
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF970D10 20_2_00007FFFEF970D10
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF973CF0 20_2_00007FFFEF973CF0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF945C20 20_2_00007FFFEF945C20
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF955420 20_2_00007FFFEF955420
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE48B 20_2_00007FFFEF9AE48B
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96AC80 20_2_00007FFFEF96AC80
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE49D 20_2_00007FFFEF9AE49D
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AA490 20_2_00007FFFEF9AA490
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE494 20_2_00007FFFEF9AE494
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF994BC0 20_2_00007FFFEF994BC0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BFC00 20_2_00007FFFEF9BFC00
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AE400 20_2_00007FFFEF9AE400
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF957410 20_2_00007FFFEF957410
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A9410 20_2_00007FFFEF9A9410
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9523F0 20_2_00007FFFEF9523F0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF963340 20_2_00007FFFEF963340
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF958340 20_2_00007FFFEF958340
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF945350 20_2_00007FFFEF945350
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A5B50 20_2_00007FFFEF9A5B50
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF94BB20 20_2_00007FFFEF94BB20
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF971B30 20_2_00007FFFEF971B30
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A4390 20_2_00007FFFEF9A4390
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF974360 20_2_00007FFFEF974360
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9692C0 20_2_00007FFFEF9692C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF99F2C0 20_2_00007FFFEF99F2C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9922C0 20_2_00007FFFEF9922C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96DAA0 20_2_00007FFFEF96DAA0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A82A0 20_2_00007FFFEF9A82A0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AAAA0 20_2_00007FFFEF9AAAA0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF970300 20_2_00007FFFEF970300
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96A310 20_2_00007FFFEF96A310
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9682E0 20_2_00007FFFEF9682E0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A2AE0 20_2_00007FFFEF9A2AE0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A7AF0 20_2_00007FFFEF9A7AF0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF947A40 20_2_00007FFFEF947A40
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97B250 20_2_00007FFFEF97B250
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AB260 20_2_00007FFFEF9AB260
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9669C0 20_2_00007FFFEF9669C0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9721D0 20_2_00007FFFEF9721D0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96E9A0 20_2_00007FFFEF96E9A0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF95E9B0 20_2_00007FFFEF95E9B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9611B0 20_2_00007FFFEF9611B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9791F0 20_2_00007FFFEF9791F0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9789F0 20_2_00007FFFEF9789F0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96F1F0 20_2_00007FFFEF96F1F0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF964140 20_2_00007FFFEF964140
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9A6950 20_2_00007FFFEF9A6950
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF976130 20_2_00007FFFEF976130
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF942980 20_2_00007FFFEF942980
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF979990 20_2_00007FFFEF979990
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AB960 20_2_00007FFFEF9AB960
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9418D0 20_2_00007FFFEF9418D0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9508B0 20_2_00007FFFEF9508B0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BC8B1 20_2_00007FFFEF9BC8B1
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF94B100 20_2_00007FFFEF94B100
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF95E110 20_2_00007FFFEF95E110
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF963910 20_2_00007FFFEF963910
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BC0EB 20_2_00007FFFEF9BC0EB
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF995840 20_2_00007FFFEF995840
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF965050 20_2_00007FFFEF965050
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF970020 20_2_00007FFFEF970020
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9C0820 20_2_00007FFFEF9C0820
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF96C030 20_2_00007FFFEF96C030
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF95D890 20_2_00007FFFEF95D890
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97F870 20_2_00007FFFEF97F870
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF98F870 20_2_00007FFFEF98F870
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD3AEC 23_2_00007FF700CD3AEC
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD2D14 23_2_00007FF700CD2D14
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5A08 23_2_00007FF700CD5A08
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD16FC 23_2_00007FF700CD16FC
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD47B0 23_2_00007FF700CD47B0
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CDB0D0 23_2_00007FF700CDB0D0
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD18D0 23_2_00007FF700CD18D0
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD14BC 23_2_00007FF700CD14BC
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD9F6C 23_2_00007FF700CD9F6C
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD9D28 23_2_00007FF700CD9D28
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5518 23_2_00007FF700CD5518
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD8244 23_2_00007FF700CD8244
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD3440 23_2_00007FF700CD3440
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E553D64 25_2_00007FF78E553D64
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E556418 25_2_00007FF78E556418
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551C00 25_2_00007FF78E551C00
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E553310 25_2_00007FF78E553310
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551B10 25_2_00007FF78E551B10
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E5557D0 25_2_00007FF78E5557D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E555E98 25_2_00007FF78E555E98
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E552AB4 25_2_00007FF78E552AB4
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D27650 25_2_00007FFFF6D27650
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D097D0 25_2_00007FFFF6D097D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF5CD0 25_2_00007FFFF6CF5CD0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D1DDC0 25_2_00007FFFF6D1DDC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2D520 25_2_00007FFFF6D2D520
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFBAE0 25_2_00007FFFF6CFBAE0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D0A2C0 25_2_00007FFFF6D0A2C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFAA70 25_2_00007FFFF6CFAA70
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D0CA50 25_2_00007FFFF6D0CA50
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE7880 25_2_00007FFFF6CE7880
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF5020 25_2_00007FFFF6CF5020
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF59F0 25_2_00007FFFF6CF59F0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D13150 25_2_00007FFFF6D13150
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D27EC0 25_2_00007FFFF6D27EC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEF6B0 25_2_00007FFFF6CEF6B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF06A0 25_2_00007FFFF6CF06A0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2A6B0 25_2_00007FFFF6D2A6B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD8670 25_2_00007FFFF6CD8670
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC6E90 25_2_00007FFFF6CC6E90
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC7E80 25_2_00007FFFF6CC7E80
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D10650 25_2_00007FFFF6D10650
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC1620 25_2_00007FFFF6CC1620
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CCDE20 25_2_00007FFFF6CCDE20
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE6FE0 25_2_00007FFFF6CE6FE0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC1010 25_2_00007FFFF6CC1010
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D34FF0 25_2_00007FFFF6D34FF0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE4800 25_2_00007FFFF6CE4800
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEE7B0 25_2_00007FFFF6CEE7B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3B7A0 25_2_00007FFFF6D3B7A0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CDA7D0 25_2_00007FFFF6CDA7D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD8FC0 25_2_00007FFFF6CD8FC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3EF80 25_2_00007FFFF6D3EF80
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2C780 25_2_00007FFFF6D2C780
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CDE770 25_2_00007FFFF6CDE770
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D25760 25_2_00007FFFF6D25760
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC6790 25_2_00007FFFF6CC6790
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D20770 25_2_00007FFFF6D20770
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3BF6F 25_2_00007FFFF6D3BF6F
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE872B 25_2_00007FFFF6CE872B
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE2F50 25_2_00007FFFF6CE2F50
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D20F30 25_2_00007FFFF6D20F30
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF3CF0 25_2_00007FFFF6CF3CF0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF0D10 25_2_00007FFFF6CF0D10
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D22CA0 25_2_00007FFFF6D22CA0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E4A6 25_2_00007FFFF6D2E4A6
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E4AD 25_2_00007FFFF6D2E4AD
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD3CD0 25_2_00007FFFF6CD3CD0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E4B6 25_2_00007FFFF6D2E4B6
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E48B 25_2_00007FFFF6D2E48B
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2A490 25_2_00007FFFF6D2A490
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E494 25_2_00007FFFF6D2E494
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E49D 25_2_00007FFFF6D2E49D
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEAC80 25_2_00007FFFF6CEAC80
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC5C20 25_2_00007FFFF6CC5C20
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD5420 25_2_00007FFFF6CD5420
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD65E0 25_2_00007FFFF6CD65E0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE3610 25_2_00007FFFF6CE3610
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF2E10 25_2_00007FFFF6CF2E10
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CCC5A0 25_2_00007FFFF6CCC5A0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD95C0 25_2_00007FFFF6CD95C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF25C0 25_2_00007FFFF6CF25C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD9D70 25_2_00007FFFF6CD9D70
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3C590 25_2_00007FFFF6D3C590
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF1D30 25_2_00007FFFF6CF1D30
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D18D20 25_2_00007FFFF6D18D20
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE3D50 25_2_00007FFFF6CE3D50
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CED550 25_2_00007FFFF6CED550
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE82E0 25_2_00007FFFF6CE82E0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D22AE0 25_2_00007FFFF6D22AE0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEA310 25_2_00007FFFF6CEA310
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D27AF0 25_2_00007FFFF6D27AF0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF0300 25_2_00007FFFF6CF0300
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D1F2C0 25_2_00007FFFF6D1F2C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D122C0 25_2_00007FFFF6D122C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEDAA0 25_2_00007FFFF6CEDAA0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D282A0 25_2_00007FFFF6D282A0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2AAA0 25_2_00007FFFF6D2AAA0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE92C0 25_2_00007FFFF6CE92C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2B260 25_2_00007FFFF6D2B260
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFB250 25_2_00007FFFF6CFB250
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC7A40 25_2_00007FFFF6CC7A40
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3FC00 25_2_00007FFFF6D3FC00
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2E400 25_2_00007FFFF6D2E400
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD23F0 25_2_00007FFFF6CD23F0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D29410 25_2_00007FFFF6D29410
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD7410 25_2_00007FFFF6CD7410
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D14BC0 25_2_00007FFFF6D14BC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D24390 25_2_00007FFFF6D24390
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF4360 25_2_00007FFFF6CF4360
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF1B30 25_2_00007FFFF6CF1B30
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D25B50 25_2_00007FFFF6D25B50
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CCBB20 25_2_00007FFFF6CCBB20
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC5350 25_2_00007FFFF6CC5350
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE3340 25_2_00007FFFF6CE3340
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD8340 25_2_00007FFFF6CD8340
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CDE110 25_2_00007FFFF6CDE110
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE3910 25_2_00007FFFF6CE3910
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3C0EB 25_2_00007FFFF6D3C0EB
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CCB100 25_2_00007FFFF6CCB100
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CD08B0 25_2_00007FFFF6CD08B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC18D0 25_2_00007FFFF6CC18D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3C8B1 25_2_00007FFFF6D3C8B1
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFF870 25_2_00007FFFF6CFF870
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CDD890 25_2_00007FFFF6CDD890
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D0F870 25_2_00007FFFF6D0F870
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D15840 25_2_00007FFFF6D15840
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEC030 25_2_00007FFFF6CEC030
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF0020 25_2_00007FFFF6CF0020
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D40820 25_2_00007FFFF6D40820
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE5050 25_2_00007FFFF6CE5050
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF91F0 25_2_00007FFFF6CF91F0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF89F0 25_2_00007FFFF6CF89F0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEF1F0 25_2_00007FFFF6CEF1F0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CDE9B0 25_2_00007FFFF6CDE9B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE11B0 25_2_00007FFFF6CE11B0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CEE9A0 25_2_00007FFFF6CEE9A0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF21D0 25_2_00007FFFF6CF21D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE69C0 25_2_00007FFFF6CE69C0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2B960 25_2_00007FFFF6D2B960
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF9990 25_2_00007FFFF6CF9990
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CC2980 25_2_00007FFFF6CC2980
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF6130 25_2_00007FFFF6CF6130
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D26950 25_2_00007FFFF6D26950
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE4140 25_2_00007FFFF6CE4140
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE5020 31_2_00007FFFF0DE5020
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DFA2C0 31_2_00007FFFF0DFA2C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DEAA70 31_2_00007FFFF0DEAA70
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DFCA50 31_2_00007FFFF0DFCA50
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE5CD0 31_2_00007FFFF0DE5CD0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E0DDC0 31_2_00007FFFF0E0DDC0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DBB100 31_2_00007FFFF0DBB100
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DCE110 31_2_00007FFFF0DCE110
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD3910 31_2_00007FFFF0DD3910
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB18D0 31_2_00007FFFF0DB18D0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC08B0 31_2_00007FFFF0DC08B0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD7880 31_2_00007FFFF0DD7880
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DCD890 31_2_00007FFFF0DCD890
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DEF870 31_2_00007FFFF0DEF870
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E05840 31_2_00007FFFF0E05840
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD5050 31_2_00007FFFF0DD5050
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE0020 31_2_00007FFFF0DE0020
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDC030 31_2_00007FFFF0DDC030
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE59F0 31_2_00007FFFF0DE59F0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDF1F0 31_2_00007FFFF0DDF1F0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE91F0 31_2_00007FFFF0DE91F0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE89F0 31_2_00007FFFF0DE89F0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD69C0 31_2_00007FFFF0DD69C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE21D0 31_2_00007FFFF0DE21D0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDE9A0 31_2_00007FFFF0DDE9A0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DCE9B0 31_2_00007FFFF0DCE9B0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD11B0 31_2_00007FFFF0DD11B0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB2980 31_2_00007FFFF0DB2980
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE9990 31_2_00007FFFF0DE9990
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E1B960 31_2_00007FFFF0E1B960
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E16950 31_2_00007FFFF0E16950
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD4140 31_2_00007FFFF0DD4140
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E03150 31_2_00007FFFF0E03150
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE6130 31_2_00007FFFF0DE6130
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE0300 31_2_00007FFFF0DE0300
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDA310 31_2_00007FFFF0DDA310
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD82E0 31_2_00007FFFF0DD82E0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DEBAE0 31_2_00007FFFF0DEBAE0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E12AE0 31_2_00007FFFF0E12AE0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD92C0 31_2_00007FFFF0DD92C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E0F2C0 31_2_00007FFFF0E0F2C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDDAA0 31_2_00007FFFF0DDDAA0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E182A0 31_2_00007FFFF0E182A0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E1AAA0 31_2_00007FFFF0E1AAA0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E1B260 31_2_00007FFFF0E1B260
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB7A40 31_2_00007FFFF0DB7A40
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DEB250 31_2_00007FFFF0DEB250
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E19410 31_2_00007FFFF0E19410
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E1E400 31_2_00007FFFF0E1E400
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC7410 31_2_00007FFFF0DC7410
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC23F0 31_2_00007FFFF0DC23F0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E04BC0 31_2_00007FFFF0E04BC0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E14390 31_2_00007FFFF0E14390
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE4360 31_2_00007FFFF0DE4360
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E15B50 31_2_00007FFFF0E15B50
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD3340 31_2_00007FFFF0DD3340
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC8340 31_2_00007FFFF0DC8340
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB5350 31_2_00007FFFF0DB5350
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DBBB20 31_2_00007FFFF0DBBB20
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE1B30 31_2_00007FFFF0DE1B30
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE0D10 31_2_00007FFFF0DE0D10
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE3CF0 31_2_00007FFFF0DE3CF0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC3CD0 31_2_00007FFFF0DC3CD0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E12CA0 31_2_00007FFFF0E12CA0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDAC80 31_2_00007FFFF0DDAC80
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC5420 31_2_00007FFFF0DC5420
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB5C20 31_2_00007FFFF0DB5C20
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE2E10 31_2_00007FFFF0DE2E10
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD3610 31_2_00007FFFF0DD3610
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC65E0 31_2_00007FFFF0DC65E0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE25C0 31_2_00007FFFF0DE25C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC95C0 31_2_00007FFFF0DC95C0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DBC5A0 31_2_00007FFFF0DBC5A0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC9D70 31_2_00007FFFF0DC9D70
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDD550 31_2_00007FFFF0DDD550
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD3D50 31_2_00007FFFF0DD3D50
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E1D520 31_2_00007FFFF0E1D520
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE1D30 31_2_00007FFFF0DE1D30
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E17EC0 31_2_00007FFFF0E17EC0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE06A0 31_2_00007FFFF0DE06A0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDF6B0 31_2_00007FFFF0DDF6B0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB7E80 31_2_00007FFFF0DB7E80
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB6E90 31_2_00007FFFF0DB6E90
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC8670 31_2_00007FFFF0DC8670
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E17650 31_2_00007FFFF0E17650
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E00650 31_2_00007FFFF0E00650
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DBDE20 31_2_00007FFFF0DBDE20
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB1620 31_2_00007FFFF0DB1620
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD4800 31_2_00007FFFF0DD4800
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB1010 31_2_00007FFFF0DB1010
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E24FF0 31_2_00007FFFF0E24FF0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD6FE0 31_2_00007FFFF0DD6FE0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DC8FC0 31_2_00007FFFF0DC8FC0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DCA7D0 31_2_00007FFFF0DCA7D0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DF97D0 31_2_00007FFFF0DF97D0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E2B7A0 31_2_00007FFFF0E2B7A0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DDE7B0 31_2_00007FFFF0DDE7B0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E2EF80 31_2_00007FFFF0E2EF80
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DB6790 31_2_00007FFFF0DB6790
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E10770 31_2_00007FFFF0E10770
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E15760 31_2_00007FFFF0E15760
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DCE770 31_2_00007FFFF0DCE770
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD2F50 31_2_00007FFFF0DD2F50
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0E10F30 31_2_00007FFFF0E10F30
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DD872B 31_2_00007FFFF0DD872B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: String function: 00007FF77C196124 appears 108 times
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: String function: 00007FF77C195F34 appears 75 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C199630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z, 20_2_00007FF77C199630
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2017770 NtClose, 1_2_00007FFFE2017770
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE203D520 NtQuerySystemInformation, 1_2_00007FFFE203D520
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF965F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 20_2_00007FFFEF965F40
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF987770 NtClose, 20_2_00007FFFEF987770
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97CE20 NtDuplicateObject,NtClose, 20_2_00007FFFEF97CE20
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9AD520 NtQuerySystemInformation, 20_2_00007FFFEF9AD520
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 20_2_00007FFFEF97C4D0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF975CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 20_2_00007FFFEF975CD0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97BAE0 NtReadVirtualMemory,RtlQueueApcWow64Thread, 20_2_00007FFFEF97BAE0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 20_2_00007FFFEF97AA70
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF98F150 NtDelayExecution, 20_2_00007FFFEF98F150
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF978060 NtReadVirtualMemory, 20_2_00007FFFEF978060
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D07770 NtClose, 25_2_00007FFFF6D07770
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CE5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 25_2_00007FFFF6CE5F40
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 25_2_00007FFFF6CFC4D0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CF5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 25_2_00007FFFF6CF5CD0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D2D520 NtQuerySystemInformation, 25_2_00007FFFF6D2D520
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFBAE0 NtReadVirtualMemory, 25_2_00007FFFF6CFBAE0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6CFAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 25_2_00007FFFF6CFAA70
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DE5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 31_2_00007FFFF0DE5CD0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FFFF0DF7770 NtClose, 31_2_00007FFFF0DF7770
PE file contains strange resources
Source: SystemPropertiesAdvanced.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesAdvanced.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FileHistory.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SystemPropertiesComputerName.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexpress.exe0.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wextract.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\KGg\iexpress.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe Section loaded: kernel34.dll
PE file contains more sections than normal
Source: WTSAPI32.dll.6.dr Static PE information: Number of sections : 71 > 10
Source: XmlLite.dll0.6.dr Static PE information: Number of sections : 71 > 10
Source: VERSION.dll1.6.dr Static PE information: Number of sections : 71 > 10
Source: SYSDM.CPL.6.dr Static PE information: Number of sections : 71 > 10
Source: UxTheme.dll.6.dr Static PE information: Number of sections : 71 > 10
Source: newdev.dll.6.dr Static PE information: Number of sections : 71 > 10
Source: VERSION.dll.6.dr Static PE information: Number of sections : 71 > 10
Source: VERSION.dll0.6.dr Static PE information: Number of sections : 71 > 10
Source: XmlLite.dll.6.dr Static PE information: Number of sections : 71 > 10
Source: mpXUd364Rz.dll Static PE information: Number of sections : 70 > 10
Source: SYSDM.CPL0.6.dr Static PE information: Number of sections : 71 > 10
Source: mpXUd364Rz.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SYSDM.CPL0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: newdev.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll1.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mpXUd364Rz.dll Virustotal: Detection: 64%
Source: mpXUd364Rz.dll Metadefender: Detection: 62%
Source: mpXUd364Rz.dll ReversingLabs: Detection: 88%
Source: mpXUd364Rz.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 25_2_00007FF78E551B10
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@49/22@0/0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A3134 CoCreateInstance,CoSetProxyBlanket, 20_2_00007FF77C1A3134
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E556418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA, 25_2_00007FF78E556418
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD7FF4 _lwrite,_lwrite,GetLastError,FormatMessageA,LoadStringA,MessageBoxA,LocalFree, 23_2_00007FF700CD7FF4
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF97CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next, 20_2_00007FFFEF97CB00
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe Mutant created: \Sessions\1\BaseNamedObjects\{2b9f69fc-d942-5108-1b7e-06ce6cc163c0}
Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe Mutant created: \Sessions\1\BaseNamedObjects\{201a9ced-b6b9-3ccf-1f9b-f23e480bd0ad}
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD7600 CompareStringA,FindResourceExA,free,free,SizeofResource,malloc,memset,LoadResource,free,LockResource,memcpy,FreeResource, 23_2_00007FF700CD7600
Source: mpXUd364Rz.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: mpXUd364Rz.dll Static file information: File size 1421312 > 1048576
Source: mpXUd364Rz.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF9BD500 push rax; iretd 20_2_00007FFFEF9BD501
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D3D500 push rax; iretd 25_2_00007FFFF6D3D501
PE file contains sections with non-standard names
Source: mpXUd364Rz.dll Static PE information: section name: .vxl
Source: mpXUd364Rz.dll Static PE information: section name: .qwubgr
Source: mpXUd364Rz.dll Static PE information: section name: .eer
Source: mpXUd364Rz.dll Static PE information: section name: .xwwauf
Source: mpXUd364Rz.dll Static PE information: section name: .pkc
Source: mpXUd364Rz.dll Static PE information: section name: .npkda
Source: mpXUd364Rz.dll Static PE information: section name: .vhs
Source: mpXUd364Rz.dll Static PE information: section name: .iaywj
Source: mpXUd364Rz.dll Static PE information: section name: .nasi
Source: mpXUd364Rz.dll Static PE information: section name: .zhvprh
Source: mpXUd364Rz.dll Static PE information: section name: .yatdsp
Source: mpXUd364Rz.dll Static PE information: section name: .njso
Source: mpXUd364Rz.dll Static PE information: section name: .lgliat
Source: mpXUd364Rz.dll Static PE information: section name: .ntqjh
Source: mpXUd364Rz.dll Static PE information: section name: .sucsek
Source: mpXUd364Rz.dll Static PE information: section name: .qsxjui
Source: mpXUd364Rz.dll Static PE information: section name: .twctcm
Source: mpXUd364Rz.dll Static PE information: section name: .nms
Source: mpXUd364Rz.dll Static PE information: section name: .ogj
Source: mpXUd364Rz.dll Static PE information: section name: .vrkgb
Source: mpXUd364Rz.dll Static PE information: section name: .gikfw
Source: mpXUd364Rz.dll Static PE information: section name: .ktl
Source: mpXUd364Rz.dll Static PE information: section name: .crcn
Source: mpXUd364Rz.dll Static PE information: section name: .wtfr
Source: mpXUd364Rz.dll Static PE information: section name: .hep
Source: mpXUd364Rz.dll Static PE information: section name: .ywg
Source: mpXUd364Rz.dll Static PE information: section name: .sqsp
Source: mpXUd364Rz.dll Static PE information: section name: .gzb
Source: mpXUd364Rz.dll Static PE information: section name: .fatlss
Source: mpXUd364Rz.dll Static PE information: section name: .plqa
Source: mpXUd364Rz.dll Static PE information: section name: .vzt
Source: mpXUd364Rz.dll Static PE information: section name: .dsbyd
Source: mpXUd364Rz.dll Static PE information: section name: .cdelc
Source: mpXUd364Rz.dll Static PE information: section name: .qkhkj
Source: mpXUd364Rz.dll Static PE information: section name: .mnzegr
Source: mpXUd364Rz.dll Static PE information: section name: .krw
Source: mpXUd364Rz.dll Static PE information: section name: .jvsmn
Source: mpXUd364Rz.dll Static PE information: section name: .bygpq
Source: mpXUd364Rz.dll Static PE information: section name: .kzdbu
Source: mpXUd364Rz.dll Static PE information: section name: .mwxorn
Source: mpXUd364Rz.dll Static PE information: section name: .raf
Source: mpXUd364Rz.dll Static PE information: section name: .zcyw
Source: mpXUd364Rz.dll Static PE information: section name: .zeczh
Source: mpXUd364Rz.dll Static PE information: section name: .pvv
Source: mpXUd364Rz.dll Static PE information: section name: .lug
Source: mpXUd364Rz.dll Static PE information: section name: .ski
Source: mpXUd364Rz.dll Static PE information: section name: .japjd
Source: mpXUd364Rz.dll Static PE information: section name: .mwtzml
Source: mpXUd364Rz.dll Static PE information: section name: .vgssf
Source: mpXUd364Rz.dll Static PE information: section name: .gsroye
Source: mpXUd364Rz.dll Static PE information: section name: .vcmr
Source: mpXUd364Rz.dll Static PE information: section name: .kvjqnl
Source: mpXUd364Rz.dll Static PE information: section name: .zlu
Source: mpXUd364Rz.dll Static PE information: section name: .nrcvk
Source: mpXUd364Rz.dll Static PE information: section name: .pfz
Source: mpXUd364Rz.dll Static PE information: section name: .hxz
Source: mpXUd364Rz.dll Static PE information: section name: .snjrs
Source: mpXUd364Rz.dll Static PE information: section name: .bffts
Source: mpXUd364Rz.dll Static PE information: section name: .gknvh
Source: mpXUd364Rz.dll Static PE information: section name: .mifiod
Source: mpXUd364Rz.dll Static PE information: section name: .whmsy
Source: mpXUd364Rz.dll Static PE information: section name: .wtuzur
Source: mpXUd364Rz.dll Static PE information: section name: .lwtn
Source: mpXUd364Rz.dll Static PE information: section name: .kuh
Source: FileHistory.exe.6.dr Static PE information: section name: .nep
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.6.dr Static PE information: section name: ?g_Encry
Source: MDMAppInstaller.exe.6.dr Static PE information: section name: .didat
Source: MusNotificationUx.exe.6.dr Static PE information: section name: .imrsiv
Source: MusNotificationUx.exe.6.dr Static PE information: section name: .didat
Source: SYSDM.CPL.6.dr Static PE information: section name: .vxl
Source: SYSDM.CPL.6.dr Static PE information: section name: .qwubgr
Source: SYSDM.CPL.6.dr Static PE information: section name: .eer
Source: SYSDM.CPL.6.dr Static PE information: section name: .xwwauf
Source: SYSDM.CPL.6.dr Static PE information: section name: .pkc
Source: SYSDM.CPL.6.dr Static PE information: section name: .npkda
Source: SYSDM.CPL.6.dr Static PE information: section name: .vhs
Source: SYSDM.CPL.6.dr Static PE information: section name: .iaywj
Source: SYSDM.CPL.6.dr Static PE information: section name: .nasi
Source: SYSDM.CPL.6.dr Static PE information: section name: .zhvprh
Source: SYSDM.CPL.6.dr Static PE information: section name: .yatdsp
Source: SYSDM.CPL.6.dr Static PE information: section name: .njso
Source: SYSDM.CPL.6.dr Static PE information: section name: .lgliat
Source: SYSDM.CPL.6.dr Static PE information: section name: .ntqjh
Source: SYSDM.CPL.6.dr Static PE information: section name: .sucsek
Source: SYSDM.CPL.6.dr Static PE information: section name: .qsxjui
Source: SYSDM.CPL.6.dr Static PE information: section name: .twctcm
Source: SYSDM.CPL.6.dr Static PE information: section name: .nms
Source: SYSDM.CPL.6.dr Static PE information: section name: .ogj
Source: SYSDM.CPL.6.dr Static PE information: section name: .vrkgb
Source: SYSDM.CPL.6.dr Static PE information: section name: .gikfw
Source: SYSDM.CPL.6.dr Static PE information: section name: .ktl
Source: SYSDM.CPL.6.dr Static PE information: section name: .crcn
Source: SYSDM.CPL.6.dr Static PE information: section name: .wtfr
Source: SYSDM.CPL.6.dr Static PE information: section name: .hep
Source: SYSDM.CPL.6.dr Static PE information: section name: .ywg
Source: SYSDM.CPL.6.dr Static PE information: section name: .sqsp
Source: SYSDM.CPL.6.dr Static PE information: section name: .gzb
Source: SYSDM.CPL.6.dr Static PE information: section name: .fatlss
Source: SYSDM.CPL.6.dr Static PE information: section name: .plqa
Source: SYSDM.CPL.6.dr Static PE information: section name: .vzt
Source: SYSDM.CPL.6.dr Static PE information: section name: .dsbyd
Source: SYSDM.CPL.6.dr Static PE information: section name: .cdelc
Source: SYSDM.CPL.6.dr Static PE information: section name: .qkhkj
Source: SYSDM.CPL.6.dr Static PE information: section name: .mnzegr
Source: SYSDM.CPL.6.dr Static PE information: section name: .krw
Source: SYSDM.CPL.6.dr Static PE information: section name: .jvsmn
Source: SYSDM.CPL.6.dr Static PE information: section name: .bygpq
Source: SYSDM.CPL.6.dr Static PE information: section name: .kzdbu
Source: SYSDM.CPL.6.dr Static PE information: section name: .mwxorn
Source: SYSDM.CPL.6.dr Static PE information: section name: .raf
Source: SYSDM.CPL.6.dr Static PE information: section name: .zcyw
Source: SYSDM.CPL.6.dr Static PE information: section name: .zeczh
Source: SYSDM.CPL.6.dr Static PE information: section name: .pvv
Source: SYSDM.CPL.6.dr Static PE information: section name: .lug
Source: SYSDM.CPL.6.dr Static PE information: section name: .ski
Source: SYSDM.CPL.6.dr Static PE information: section name: .japjd
Source: SYSDM.CPL.6.dr Static PE information: section name: .mwtzml
Source: SYSDM.CPL.6.dr Static PE information: section name: .vgssf
Source: SYSDM.CPL.6.dr Static PE information: section name: .gsroye
Source: SYSDM.CPL.6.dr Static PE information: section name: .vcmr
Source: SYSDM.CPL.6.dr Static PE information: section name: .kvjqnl
Source: SYSDM.CPL.6.dr Static PE information: section name: .zlu
Source: SYSDM.CPL.6.dr Static PE information: section name: .nrcvk
Source: SYSDM.CPL.6.dr Static PE information: section name: .pfz
Source: SYSDM.CPL.6.dr Static PE information: section name: .hxz
Source: SYSDM.CPL.6.dr Static PE information: section name: .snjrs
Source: SYSDM.CPL.6.dr Static PE information: section name: .bffts
Source: SYSDM.CPL.6.dr Static PE information: section name: .gknvh
Source: SYSDM.CPL.6.dr Static PE information: section name: .mifiod
Source: SYSDM.CPL.6.dr Static PE information: section name: .whmsy
Source: SYSDM.CPL.6.dr Static PE information: section name: .wtuzur
Source: SYSDM.CPL.6.dr Static PE information: section name: .lwtn
Source: SYSDM.CPL.6.dr Static PE information: section name: .kuh
Source: SYSDM.CPL.6.dr Static PE information: section name: .repb
Source: UxTheme.dll.6.dr Static PE information: section name: .vxl
Source: UxTheme.dll.6.dr Static PE information: section name: .qwubgr
Source: UxTheme.dll.6.dr Static PE information: section name: .eer
Source: UxTheme.dll.6.dr Static PE information: section name: .xwwauf
Source: UxTheme.dll.6.dr Static PE information: section name: .pkc
Source: UxTheme.dll.6.dr Static PE information: section name: .npkda
Source: UxTheme.dll.6.dr Static PE information: section name: .vhs
Source: UxTheme.dll.6.dr Static PE information: section name: .iaywj
Source: UxTheme.dll.6.dr Static PE information: section name: .nasi
Source: UxTheme.dll.6.dr Static PE information: section name: .zhvprh
Source: UxTheme.dll.6.dr Static PE information: section name: .yatdsp
Source: UxTheme.dll.6.dr Static PE information: section name: .njso
Source: UxTheme.dll.6.dr Static PE information: section name: .lgliat
Source: UxTheme.dll.6.dr Static PE information: section name: .ntqjh
Source: UxTheme.dll.6.dr Static PE information: section name: .sucsek
Source: UxTheme.dll.6.dr Static PE information: section name: .qsxjui
Source: UxTheme.dll.6.dr Static PE information: section name: .twctcm
Source: UxTheme.dll.6.dr Static PE information: section name: .nms
Source: UxTheme.dll.6.dr Static PE information: section name: .ogj
Source: UxTheme.dll.6.dr Static PE information: section name: .vrkgb
Source: UxTheme.dll.6.dr Static PE information: section name: .gikfw
Source: UxTheme.dll.6.dr Static PE information: section name: .ktl
Source: UxTheme.dll.6.dr Static PE information: section name: .crcn
Source: UxTheme.dll.6.dr Static PE information: section name: .wtfr
Source: UxTheme.dll.6.dr Static PE information: section name: .hep
Source: UxTheme.dll.6.dr Static PE information: section name: .ywg
Source: UxTheme.dll.6.dr Static PE information: section name: .sqsp
Source: UxTheme.dll.6.dr Static PE information: section name: .gzb
Source: UxTheme.dll.6.dr Static PE information: section name: .fatlss
Source: UxTheme.dll.6.dr Static PE information: section name: .plqa
Source: UxTheme.dll.6.dr Static PE information: section name: .vzt
Source: UxTheme.dll.6.dr Static PE information: section name: .dsbyd
Source: UxTheme.dll.6.dr Static PE information: section name: .cdelc
Source: UxTheme.dll.6.dr Static PE information: section name: .qkhkj
Source: UxTheme.dll.6.dr Static PE information: section name: .mnzegr
Source: UxTheme.dll.6.dr Static PE information: section name: .krw
Source: UxTheme.dll.6.dr Static PE information: section name: .jvsmn
Source: UxTheme.dll.6.dr Static PE information: section name: .bygpq
Source: UxTheme.dll.6.dr Static PE information: section name: .kzdbu
Source: UxTheme.dll.6.dr Static PE information: section name: .mwxorn
Source: UxTheme.dll.6.dr Static PE information: section name: .raf
Source: UxTheme.dll.6.dr Static PE information: section name: .zcyw
Source: UxTheme.dll.6.dr Static PE information: section name: .zeczh
Source: UxTheme.dll.6.dr Static PE information: section name: .pvv
Source: UxTheme.dll.6.dr Static PE information: section name: .lug
Source: UxTheme.dll.6.dr Static PE information: section name: .ski
Source: UxTheme.dll.6.dr Static PE information: section name: .japjd
Source: UxTheme.dll.6.dr Static PE information: section name: .mwtzml
Source: UxTheme.dll.6.dr Static PE information: section name: .vgssf
Source: UxTheme.dll.6.dr Static PE information: section name: .gsroye
Source: UxTheme.dll.6.dr Static PE information: section name: .vcmr
Source: UxTheme.dll.6.dr Static PE information: section name: .kvjqnl
Source: UxTheme.dll.6.dr Static PE information: section name: .zlu
Source: UxTheme.dll.6.dr Static PE information: section name: .nrcvk
Source: UxTheme.dll.6.dr Static PE information: section name: .pfz
Source: UxTheme.dll.6.dr Static PE information: section name: .hxz
Source: UxTheme.dll.6.dr Static PE information: section name: .snjrs
Source: UxTheme.dll.6.dr Static PE information: section name: .bffts
Source: UxTheme.dll.6.dr Static PE information: section name: .gknvh
Source: UxTheme.dll.6.dr Static PE information: section name: .mifiod
Source: UxTheme.dll.6.dr Static PE information: section name: .whmsy
Source: UxTheme.dll.6.dr Static PE information: section name: .wtuzur
Source: UxTheme.dll.6.dr Static PE information: section name: .lwtn
Source: UxTheme.dll.6.dr Static PE information: section name: .kuh
Source: UxTheme.dll.6.dr Static PE information: section name: .gwvj
Source: VERSION.dll.6.dr Static PE information: section name: .vxl
Source: VERSION.dll.6.dr Static PE information: section name: .qwubgr
Source: VERSION.dll.6.dr Static PE information: section name: .eer
Source: VERSION.dll.6.dr Static PE information: section name: .xwwauf
Source: VERSION.dll.6.dr Static PE information: section name: .pkc
Source: VERSION.dll.6.dr Static PE information: section name: .npkda
Source: VERSION.dll.6.dr Static PE information: section name: .vhs
Source: VERSION.dll.6.dr Static PE information: section name: .iaywj
Source: VERSION.dll.6.dr Static PE information: section name: .nasi
Source: VERSION.dll.6.dr Static PE information: section name: .zhvprh
Source: VERSION.dll.6.dr Static PE information: section name: .yatdsp
Source: VERSION.dll.6.dr Static PE information: section name: .njso
Source: VERSION.dll.6.dr Static PE information: section name: .lgliat
Source: VERSION.dll.6.dr Static PE information: section name: .ntqjh
Source: VERSION.dll.6.dr Static PE information: section name: .sucsek
Source: VERSION.dll.6.dr Static PE information: section name: .qsxjui
Source: VERSION.dll.6.dr Static PE information: section name: .twctcm
Source: VERSION.dll.6.dr Static PE information: section name: .nms
Source: VERSION.dll.6.dr Static PE information: section name: .ogj
Source: VERSION.dll.6.dr Static PE information: section name: .vrkgb
Source: VERSION.dll.6.dr Static PE information: section name: .gikfw
Source: VERSION.dll.6.dr Static PE information: section name: .ktl
Source: VERSION.dll.6.dr Static PE information: section name: .crcn
Source: VERSION.dll.6.dr Static PE information: section name: .wtfr
Source: VERSION.dll.6.dr Static PE information: section name: .hep
Source: VERSION.dll.6.dr Static PE information: section name: .ywg
Source: VERSION.dll.6.dr Static PE information: section name: .sqsp
Source: VERSION.dll.6.dr Static PE information: section name: .gzb
Source: VERSION.dll.6.dr Static PE information: section name: .fatlss
Source: VERSION.dll.6.dr Static PE information: section name: .plqa
Source: VERSION.dll.6.dr Static PE information: section name: .vzt
Source: VERSION.dll.6.dr Static PE information: section name: .dsbyd
Source: VERSION.dll.6.dr Static PE information: section name: .cdelc
Source: VERSION.dll.6.dr Static PE information: section name: .qkhkj
Source: VERSION.dll.6.dr Static PE information: section name: .mnzegr
Source: VERSION.dll.6.dr Static PE information: section name: .krw
Source: VERSION.dll.6.dr Static PE information: section name: .jvsmn
Source: VERSION.dll.6.dr Static PE information: section name: .bygpq
Source: VERSION.dll.6.dr Static PE information: section name: .kzdbu
Source: VERSION.dll.6.dr Static PE information: section name: .mwxorn
Source: VERSION.dll.6.dr Static PE information: section name: .raf
Source: VERSION.dll.6.dr Static PE information: section name: .zcyw
Source: VERSION.dll.6.dr Static PE information: section name: .zeczh
Source: VERSION.dll.6.dr Static PE information: section name: .pvv
Source: VERSION.dll.6.dr Static PE information: section name: .lug
Source: VERSION.dll.6.dr Static PE information: section name: .ski
Source: VERSION.dll.6.dr Static PE information: section name: .japjd
Source: VERSION.dll.6.dr Static PE information: section name: .mwtzml
Source: VERSION.dll.6.dr Static PE information: section name: .vgssf
Source: VERSION.dll.6.dr Static PE information: section name: .gsroye
Source: VERSION.dll.6.dr Static PE information: section name: .vcmr
Source: VERSION.dll.6.dr Static PE information: section name: .kvjqnl
Source: VERSION.dll.6.dr Static PE information: section name: .zlu
Source: VERSION.dll.6.dr Static PE information: section name: .nrcvk
Source: VERSION.dll.6.dr Static PE information: section name: .pfz
Source: VERSION.dll.6.dr Static PE information: section name: .hxz
Source: VERSION.dll.6.dr Static PE information: section name: .snjrs
Source: VERSION.dll.6.dr Static PE information: section name: .bffts
Source: VERSION.dll.6.dr Static PE information: section name: .gknvh
Source: VERSION.dll.6.dr Static PE information: section name: .mifiod
Source: VERSION.dll.6.dr Static PE information: section name: .whmsy
Source: VERSION.dll.6.dr Static PE information: section name: .wtuzur
Source: VERSION.dll.6.dr Static PE information: section name: .lwtn
Source: VERSION.dll.6.dr Static PE information: section name: .kuh
Source: VERSION.dll.6.dr Static PE information: section name: .dgn
Source: XmlLite.dll.6.dr Static PE information: section name: .vxl
Source: XmlLite.dll.6.dr Static PE information: section name: .qwubgr
Source: XmlLite.dll.6.dr Static PE information: section name: .eer
Source: XmlLite.dll.6.dr Static PE information: section name: .xwwauf
Source: XmlLite.dll.6.dr Static PE information: section name: .pkc
Source: XmlLite.dll.6.dr Static PE information: section name: .npkda
Source: XmlLite.dll.6.dr Static PE information: section name: .vhs
Source: XmlLite.dll.6.dr Static PE information: section name: .iaywj
Source: XmlLite.dll.6.dr Static PE information: section name: .nasi
Source: XmlLite.dll.6.dr Static PE information: section name: .zhvprh
Source: XmlLite.dll.6.dr Static PE information: section name: .yatdsp
Source: XmlLite.dll.6.dr Static PE information: section name: .njso
Source: XmlLite.dll.6.dr Static PE information: section name: .lgliat
Source: XmlLite.dll.6.dr Static PE information: section name: .ntqjh
Source: XmlLite.dll.6.dr Static PE information: section name: .sucsek
Source: XmlLite.dll.6.dr Static PE information: section name: .qsxjui
Source: XmlLite.dll.6.dr Static PE information: section name: .twctcm
Source: XmlLite.dll.6.dr Static PE information: section name: .nms
Source: XmlLite.dll.6.dr Static PE information: section name: .ogj
Source: XmlLite.dll.6.dr Static PE information: section name: .vrkgb
Source: XmlLite.dll.6.dr Static PE information: section name: .gikfw
Source: XmlLite.dll.6.dr Static PE information: section name: .ktl
Source: XmlLite.dll.6.dr Static PE information: section name: .crcn
Source: XmlLite.dll.6.dr Static PE information: section name: .wtfr
Source: XmlLite.dll.6.dr Static PE information: section name: .hep
Source: XmlLite.dll.6.dr Static PE information: section name: .ywg
Source: XmlLite.dll.6.dr Static PE information: section name: .sqsp
Source: XmlLite.dll.6.dr Static PE information: section name: .gzb
Source: XmlLite.dll.6.dr Static PE information: section name: .fatlss
Source: XmlLite.dll.6.dr Static PE information: section name: .plqa
Source: XmlLite.dll.6.dr Static PE information: section name: .vzt
Source: XmlLite.dll.6.dr Static PE information: section name: .dsbyd
Source: XmlLite.dll.6.dr Static PE information: section name: .cdelc
Source: XmlLite.dll.6.dr Static PE information: section name: .qkhkj
Source: XmlLite.dll.6.dr Static PE information: section name: .mnzegr
Source: XmlLite.dll.6.dr Static PE information: section name: .krw
Source: XmlLite.dll.6.dr Static PE information: section name: .jvsmn
Source: XmlLite.dll.6.dr Static PE information: section name: .bygpq
Source: XmlLite.dll.6.dr Static PE information: section name: .kzdbu
Source: XmlLite.dll.6.dr Static PE information: section name: .mwxorn
Source: XmlLite.dll.6.dr Static PE information: section name: .raf
Source: XmlLite.dll.6.dr Static PE information: section name: .zcyw
Source: XmlLite.dll.6.dr Static PE information: section name: .zeczh
Source: XmlLite.dll.6.dr Static PE information: section name: .pvv
Source: XmlLite.dll.6.dr Static PE information: section name: .lug
Source: XmlLite.dll.6.dr Static PE information: section name: .ski
Source: XmlLite.dll.6.dr Static PE information: section name: .japjd
Source: XmlLite.dll.6.dr Static PE information: section name: .mwtzml
Source: XmlLite.dll.6.dr Static PE information: section name: .vgssf
Source: XmlLite.dll.6.dr Static PE information: section name: .gsroye
Source: XmlLite.dll.6.dr Static PE information: section name: .vcmr
Source: XmlLite.dll.6.dr Static PE information: section name: .kvjqnl
Source: XmlLite.dll.6.dr Static PE information: section name: .zlu
Source: XmlLite.dll.6.dr Static PE information: section name: .nrcvk
Source: XmlLite.dll.6.dr Static PE information: section name: .pfz
Source: XmlLite.dll.6.dr Static PE information: section name: .hxz
Source: XmlLite.dll.6.dr Static PE information: section name: .snjrs
Source: XmlLite.dll.6.dr Static PE information: section name: .bffts
Source: XmlLite.dll.6.dr Static PE information: section name: .gknvh
Source: XmlLite.dll.6.dr Static PE information: section name: .mifiod
Source: XmlLite.dll.6.dr Static PE information: section name: .whmsy
Source: XmlLite.dll.6.dr Static PE information: section name: .wtuzur
Source: XmlLite.dll.6.dr Static PE information: section name: .lwtn
Source: XmlLite.dll.6.dr Static PE information: section name: .kuh
Source: XmlLite.dll.6.dr Static PE information: section name: .hmklaw
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vxl
Source: SYSDM.CPL0.6.dr Static PE information: section name: .qwubgr
Source: SYSDM.CPL0.6.dr Static PE information: section name: .eer
Source: SYSDM.CPL0.6.dr Static PE information: section name: .xwwauf
Source: SYSDM.CPL0.6.dr Static PE information: section name: .pkc
Source: SYSDM.CPL0.6.dr Static PE information: section name: .npkda
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vhs
Source: SYSDM.CPL0.6.dr Static PE information: section name: .iaywj
Source: SYSDM.CPL0.6.dr Static PE information: section name: .nasi
Source: SYSDM.CPL0.6.dr Static PE information: section name: .zhvprh
Source: SYSDM.CPL0.6.dr Static PE information: section name: .yatdsp
Source: SYSDM.CPL0.6.dr Static PE information: section name: .njso
Source: SYSDM.CPL0.6.dr Static PE information: section name: .lgliat
Source: SYSDM.CPL0.6.dr Static PE information: section name: .ntqjh
Source: SYSDM.CPL0.6.dr Static PE information: section name: .sucsek
Source: SYSDM.CPL0.6.dr Static PE information: section name: .qsxjui
Source: SYSDM.CPL0.6.dr Static PE information: section name: .twctcm
Source: SYSDM.CPL0.6.dr Static PE information: section name: .nms
Source: SYSDM.CPL0.6.dr Static PE information: section name: .ogj
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vrkgb
Source: SYSDM.CPL0.6.dr Static PE information: section name: .gikfw
Source: SYSDM.CPL0.6.dr Static PE information: section name: .ktl
Source: SYSDM.CPL0.6.dr Static PE information: section name: .crcn
Source: SYSDM.CPL0.6.dr Static PE information: section name: .wtfr
Source: SYSDM.CPL0.6.dr Static PE information: section name: .hep
Source: SYSDM.CPL0.6.dr Static PE information: section name: .ywg
Source: SYSDM.CPL0.6.dr Static PE information: section name: .sqsp
Source: SYSDM.CPL0.6.dr Static PE information: section name: .gzb
Source: SYSDM.CPL0.6.dr Static PE information: section name: .fatlss
Source: SYSDM.CPL0.6.dr Static PE information: section name: .plqa
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vzt
Source: SYSDM.CPL0.6.dr Static PE information: section name: .dsbyd
Source: SYSDM.CPL0.6.dr Static PE information: section name: .cdelc
Source: SYSDM.CPL0.6.dr Static PE information: section name: .qkhkj
Source: SYSDM.CPL0.6.dr Static PE information: section name: .mnzegr
Source: SYSDM.CPL0.6.dr Static PE information: section name: .krw
Source: SYSDM.CPL0.6.dr Static PE information: section name: .jvsmn
Source: SYSDM.CPL0.6.dr Static PE information: section name: .bygpq
Source: SYSDM.CPL0.6.dr Static PE information: section name: .kzdbu
Source: SYSDM.CPL0.6.dr Static PE information: section name: .mwxorn
Source: SYSDM.CPL0.6.dr Static PE information: section name: .raf
Source: SYSDM.CPL0.6.dr Static PE information: section name: .zcyw
Source: SYSDM.CPL0.6.dr Static PE information: section name: .zeczh
Source: SYSDM.CPL0.6.dr Static PE information: section name: .pvv
Source: SYSDM.CPL0.6.dr Static PE information: section name: .lug
Source: SYSDM.CPL0.6.dr Static PE information: section name: .ski
Source: SYSDM.CPL0.6.dr Static PE information: section name: .japjd
Source: SYSDM.CPL0.6.dr Static PE information: section name: .mwtzml
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vgssf
Source: SYSDM.CPL0.6.dr Static PE information: section name: .gsroye
Source: SYSDM.CPL0.6.dr Static PE information: section name: .vcmr
Source: SYSDM.CPL0.6.dr Static PE information: section name: .kvjqnl
Source: SYSDM.CPL0.6.dr Static PE information: section name: .zlu
Source: SYSDM.CPL0.6.dr Static PE information: section name: .nrcvk
Source: SYSDM.CPL0.6.dr Static PE information: section name: .pfz
Source: SYSDM.CPL0.6.dr Static PE information: section name: .hxz
Source: SYSDM.CPL0.6.dr Static PE information: section name: .snjrs
Source: SYSDM.CPL0.6.dr Static PE information: section name: .bffts
Source: SYSDM.CPL0.6.dr Static PE information: section name: .gknvh
Source: SYSDM.CPL0.6.dr Static PE information: section name: .mifiod
Source: SYSDM.CPL0.6.dr Static PE information: section name: .whmsy
Source: SYSDM.CPL0.6.dr Static PE information: section name: .wtuzur
Source: SYSDM.CPL0.6.dr Static PE information: section name: .lwtn
Source: SYSDM.CPL0.6.dr Static PE information: section name: .kuh
Source: SYSDM.CPL0.6.dr Static PE information: section name: .azm
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vxl
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qwubgr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .eer
Source: WTSAPI32.dll.6.dr Static PE information: section name: .xwwauf
Source: WTSAPI32.dll.6.dr Static PE information: section name: .pkc
Source: WTSAPI32.dll.6.dr Static PE information: section name: .npkda
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vhs
Source: WTSAPI32.dll.6.dr Static PE information: section name: .iaywj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .nasi
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zhvprh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .yatdsp
Source: WTSAPI32.dll.6.dr Static PE information: section name: .njso
Source: WTSAPI32.dll.6.dr Static PE information: section name: .lgliat
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ntqjh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .sucsek
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qsxjui
Source: WTSAPI32.dll.6.dr Static PE information: section name: .twctcm
Source: WTSAPI32.dll.6.dr Static PE information: section name: .nms
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ogj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vrkgb
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gikfw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ktl
Source: WTSAPI32.dll.6.dr Static PE information: section name: .crcn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .wtfr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .hep
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ywg
Source: WTSAPI32.dll.6.dr Static PE information: section name: .sqsp
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gzb
Source: WTSAPI32.dll.6.dr Static PE information: section name: .fatlss
Source: WTSAPI32.dll.6.dr Static PE information: section name: .plqa
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vzt
Source: WTSAPI32.dll.6.dr Static PE information: section name: .dsbyd
Source: WTSAPI32.dll.6.dr Static PE information: section name: .cdelc
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qkhkj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mnzegr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .krw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .jvsmn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .bygpq
Source: WTSAPI32.dll.6.dr Static PE information: section name: .kzdbu
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mwxorn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .raf
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zcyw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zeczh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .pvv
Source: WTSAPI32.dll.6.dr Static PE information: section name: .lug
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ski
Source: WTSAPI32.dll.6.dr Static PE information: section name: .japjd
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mwtzml
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vgssf
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gsroye
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vcmr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .kvjqnl
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zlu
Source: WTSAPI32.dll.6.dr Static PE information: section name: .nrcvk
Source: WTSAPI32.dll.6.dr Static PE information: section name: .pfz
Source: WTSAPI32.dll.6.dr Static PE information: section name: .hxz
Source: WTSAPI32.dll.6.dr Static PE information: section name: .snjrs
Source: WTSAPI32.dll.6.dr Static PE information: section name: .bffts
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gknvh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mifiod
Source: WTSAPI32.dll.6.dr Static PE information: section name: .whmsy
Source: WTSAPI32.dll.6.dr Static PE information: section name: .wtuzur
Source: WTSAPI32.dll.6.dr Static PE information: section name: .lwtn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .kuh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .wdajq
Source: newdev.dll.6.dr Static PE information: section name: .vxl
Source: newdev.dll.6.dr Static PE information: section name: .qwubgr
Source: newdev.dll.6.dr Static PE information: section name: .eer
Source: newdev.dll.6.dr Static PE information: section name: .xwwauf
Source: newdev.dll.6.dr Static PE information: section name: .pkc
Source: newdev.dll.6.dr Static PE information: section name: .npkda
Source: newdev.dll.6.dr Static PE information: section name: .vhs
Source: newdev.dll.6.dr Static PE information: section name: .iaywj
Source: newdev.dll.6.dr Static PE information: section name: .nasi
Source: newdev.dll.6.dr Static PE information: section name: .zhvprh
Source: newdev.dll.6.dr Static PE information: section name: .yatdsp
Source: newdev.dll.6.dr Static PE information: section name: .njso
Source: newdev.dll.6.dr Static PE information: section name: .lgliat
Source: newdev.dll.6.dr Static PE information: section name: .ntqjh
Source: newdev.dll.6.dr Static PE information: section name: .sucsek
Source: newdev.dll.6.dr Static PE information: section name: .qsxjui
Source: newdev.dll.6.dr Static PE information: section name: .twctcm
Source: newdev.dll.6.dr Static PE information: section name: .nms
Source: newdev.dll.6.dr Static PE information: section name: .ogj
Source: newdev.dll.6.dr Static PE information: section name: .vrkgb
Source: newdev.dll.6.dr Static PE information: section name: .gikfw
Source: newdev.dll.6.dr Static PE information: section name: .ktl
Source: newdev.dll.6.dr Static PE information: section name: .crcn
Source: newdev.dll.6.dr Static PE information: section name: .wtfr
Source: newdev.dll.6.dr Static PE information: section name: .hep
Source: newdev.dll.6.dr Static PE information: section name: .ywg
Source: newdev.dll.6.dr Static PE information: section name: .sqsp
Source: newdev.dll.6.dr Static PE information: section name: .gzb
Source: newdev.dll.6.dr Static PE information: section name: .fatlss
Source: newdev.dll.6.dr Static PE information: section name: .plqa
Source: newdev.dll.6.dr Static PE information: section name: .vzt
Source: newdev.dll.6.dr Static PE information: section name: .dsbyd
Source: newdev.dll.6.dr Static PE information: section name: .cdelc
Source: newdev.dll.6.dr Static PE information: section name: .qkhkj
Source: newdev.dll.6.dr Static PE information: section name: .mnzegr
Source: newdev.dll.6.dr Static PE information: section name: .krw
Source: newdev.dll.6.dr Static PE information: section name: .jvsmn
Source: newdev.dll.6.dr Static PE information: section name: .bygpq
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary, 25_2_00007FF78E554664
Binary contains a suspicious time stamp
Source: SystemPropertiesAdvanced.exe.6.dr Static PE information: 0xB26F15BA [Tue Nov 11 10:21:46 2064 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xwE\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\tivYqgA\InfDefaultInstall.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KGg\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4gdyz\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KGg\iexpress.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xwE\wextract.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\SUX56B\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\tivYqgA\newdev.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\JvUQhw\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD3AEC CompareStringA,GetPrivateProfileStringA,CompareStringA,CompareStringA,toupper,strchr,strchr,LocalAlloc,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,toupper,LocalAlloc,LocalAlloc,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalFree,memcpy_s,LocalFree, 23_2_00007FF700CD3AEC
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD30D8 GetPrivateProfileStringA,LocalAlloc, 23_2_00007FF700CD30D8
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD6C64 GetFileAttributesA,SetFileAttributesA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileSectionA,GetPrivateProfileStringA,SetFileAttributesA, 23_2_00007FF700CD6C64
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CDD620 GetPrivateProfileStringA, 23_2_00007FF700CDD620
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD3440 WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,WritePrivateProfileStringA,LocalAlloc,GetPrivateProfileStringA,LocalFree,GetPrivateProfileStringA,WritePrivateProfileStringA,LocalFree, 23_2_00007FF700CD3440
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E5515C8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 25_2_00007FF78E5515C8
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Process information set: NOOPENFILEERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6556 Thread sleep count: 68 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\tivYqgA\newdev.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe API coverage: 8.1 %
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe API coverage: 0.6 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE202DDC0 GetSystemInfo, 1_2_00007FFFE202DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE202ED10 FindFirstFileExW, 1_2_00007FFFE202ED10
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FFFEF99ED10 FindFirstFileExW, 20_2_00007FFFEF99ED10
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA, 23_2_00007FF700CD5A08
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose, 23_2_00007FF700CD2164
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA, 23_2_00007FF700CD5518
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 25_2_00007FF78E551EC0
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FFFF6D1ED10 FindFirstFileExW, 25_2_00007FFFF6D1ED10
Source: explorer.exe, 00000006.00000000.263903097.00000000051AC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ged:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: explorer.exe, 00000006.00000000.276835861.000000000405B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.247295653.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Gz?S
Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.245814685.000000000513E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0cY
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C192890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 20_2_00007FF77C192890
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary, 25_2_00007FF78E554664
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A4D20 GetProcessHeap,HeapFree, 20_2_00007FF77C1A4D20
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE20197D0 LdrLoadDll,FindClose, 1_2_00007FFFE20197D0
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Memory allocated: page read and write | page guard
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A3DF0 SetUnhandledExceptionFilter, 20_2_00007FF77C1A3DF0
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A3BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF77C1A3BA4
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CDEC60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00007FF700CDEC60
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CDEF50 SetUnhandledExceptionFilter, 23_2_00007FF700CDEF50
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E557A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00007FF78E557A80
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E557D70 SetUnhandledExceptionFilter, 25_2_00007FF78E557D70
Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe Code function: 29_2_00007FF773111430 SetUnhandledExceptionFilter, 29_2_00007FF773111430
Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe Code function: 29_2_00007FF7731116B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 29_2_00007FF7731116B4
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FF6F1247570 SetUnhandledExceptionFilter, 31_2_00007FF6F1247570
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Code function: 31_2_00007FF6F12477EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_00007FF6F12477EC

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: SYSDM.CPL.6.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF802C5EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF802C5E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FF8024E2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 Jump to behavior
Source: C:\Users\user\AppData\Local\xwE\wextract.exe Code function: 25_2_00007FF78E5512A0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 25_2_00007FF78E5512A0
Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.247216161.0000000005610000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.274591286.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager,
Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe Queries volume information: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe VolumeInformation
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe Code function: 20_2_00007FF77C1A260C GetSystemTimeAsFileTime,EnterCriticalSection,LeaveCriticalSection,??3@YAXPEAX@Z, 20_2_00007FF77C1A260C
Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe Code function: 23_2_00007FF700CDE5F0 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CharNextA, 23_2_00007FF700CDE5F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00007FFFE2019400 GetUserNameW, 1_2_00007FFFE2019400
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595330 Sample: mpXUd364Rz Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 3 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\newdev.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\SYSDM.CPL, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 17 other files (3 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 MDMAppInstaller.exe 19->25         started        27 iexpress.exe 19->27         started        29 SystemPropertiesAdvanced.exe 19->29         started        31 14 other processes 19->31 signatures8 process9
No contacted IP infos