Windows Analysis Report
dry.dll

Overview

General Information

Sample Name: dry.dll
Analysis ID: 575240
MD5: 4bec705de3584b911018c84f31659a17
SHA1: b29ff37578ef950b702ec5db59161294c2e1a7b3
SHA256: 13aa6bed5b3a656b9c86cc2d397f765779f4a7dff49f73d58bd97e11423e0635
Tags: dlldridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Contains functionality to inject code into remote processes
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: dry.dll Virustotal: Detection: 70% Perma Link
Source: dry.dll Metadefender: Detection: 55% Perma Link
Source: dry.dll ReversingLabs: Detection: 82%
Antivirus / Scanner detection for submitted sample
Source: dry.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Machine Learning detection for sample
Source: dry.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\oudoiG\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\GsjW\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9CF6C VirtualAlloc,GetLastError,BCryptCreateHash,ReadProcessMemory,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,VirtualFree,BCryptFinishHash,BCryptDestroyHash,GetLastError, 30_2_00007FF7EAE9CF6C
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9D15C BCryptCreateHash,_wcsnicmp,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash, 30_2_00007FF7EAE9D15C
Source: dry.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: consent.pdb source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
Source: Binary string: FFgnji|RgnjiR.pdb source: SysResetErr.exe, 0000000F.00000002.410461412.00000204E63D7000.00000004.00000020.00020000.00000000.sdmp, SysResetErr.exe, 0000000F.00000002.410154109.00000204E622E000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448408637.0000016FCD5A2000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448269347.0000016FCD449000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.476969443.0000025594C81000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.477066927.0000025594DE1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513393199.0000029561289000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513278214.0000029561127000.00000004.00000020.00020000.00000000.sdmp, dry.dll, VERSION.dll.5.dr, VERSION.dll0.5.dr, UxTheme.dll.5.dr, WINSTA.dll.5.dr, DUI70.dll.5.dr, XmlLite.dll.5.dr, WMsgAPI.dll.5.dr
Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
Source: Binary string: dwwin.pdbGCTL source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
Source: Binary string: cmstp.pdb source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
Source: Binary string: dwwin.pdb source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
Source: Binary string: consent.pdbUGP source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682EDBE0 FindFirstFileExW, 0_2_00007FFC682EDBE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3DBE0 FindFirstFileExW, 15_2_00007FFC67E3DBE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F871E0 memset,GetPrivateProfileStringW,FindFirstFileW,wcscmp,memset,FindNextFileW, 27_2_00007FF768F871E0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84008 memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,lstrlenW,CmMalloc,CmFree,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose, 27_2_00007FF768F84008
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2EDBE0 FindFirstFileExW, 27_2_00007FFC6E2EDBE0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE96678 memset,StrStrIW,GetLogicalDriveStringsW,QueryDosDeviceW,StrStrIW, 30_2_00007FF7EAE96678
Source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr String found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio
Source: unknown DNS traffic detected: queries for: canonicalizer.ucsuri.tcs

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects latest Dridex bot hook Author: @VK_Intel
PE file contains section with special chars
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe Jump to behavior
Yara signature match
Source: 4.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 8.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 3.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 27.2.cmstp.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 35.2.sppsvc.exe.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 0.2.loaddll64.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 6.2.rundll32.exe.7ffc68290000.2.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 15.2.SysResetErr.exe.7ffc67de0000.3.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 30.2.DWWIN.EXE.7ffc6e290000.3.unpack, type: UNPACKEDPE Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 0000001B.00000002.448574954.00007FFC6E291000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000008.00000002.305054509.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000006.00000002.296790826.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 0000001E.00000002.477365919.00007FFC6E291000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000004.00000002.289927845.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 0000000F.00000002.410915340.00007FFC67DE1000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000003.00000002.366937086.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000023.00000002.514434351.00007FFC6E291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
Source: 00000000.00000002.311387870.00007FFC68291000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win64_dridex_bot_hook date = 2020-03-24, author = @VK_Intel, description = Detects latest Dridex bot hook, reference = internal, tlp = white
One or more processes crash
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682DB120 0_2_00007FFC682DB120
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C3940 0_2_00007FFC682C3940
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682D8990 0_2_00007FFC682D8990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B6190 0_2_00007FFC682B6190
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C4310 0_2_00007FFC682C4310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682ECC90 0_2_00007FFC682ECC90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F6610 0_2_00007FFC682F6610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682D7EA0 0_2_00007FFC682D7EA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FBF20 0_2_00007FFC682FBF20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682E1FE0 0_2_00007FFC682E1FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B58F0 0_2_00007FFC682B58F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FA0E0 0_2_00007FFC682FA0E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BD0E0 0_2_00007FFC682BD0E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682918D0 0_2_00007FFC682918D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F5910 0_2_00007FFC682F5910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B3110 0_2_00007FFC682B3110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6829B100 0_2_00007FFC6829B100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F9970 0_2_00007FFC682F9970
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B3960 0_2_00007FFC682B3960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BA960 0_2_00007FFC682BA960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BE950 0_2_00007FFC682BE950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682CE190 0_2_00007FFC682CE190
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682EE190 0_2_00007FFC682EE190
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FB180 0_2_00007FFC682FB180
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68292980 0_2_00007FFC68292980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F19C0 0_2_00007FFC682F19C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B2210 0_2_00007FFC682B2210
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F3270 0_2_00007FFC682F3270
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F7260 0_2_00007FFC682F7260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682E3A50 0_2_00007FFC682E3A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B2A50 0_2_00007FFC682B2A50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68297A40 0_2_00007FFC68297A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C82B0 0_2_00007FFC682C82B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F6AB0 0_2_00007FFC682F6AB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682AFAB0 0_2_00007FFC682AFAB0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C0AF0 0_2_00007FFC682C0AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B52D0 0_2_00007FFC682B52D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BD2D0 0_2_00007FFC682BD2D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6829BB20 0_2_00007FFC6829BB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BDB20 0_2_00007FFC682BDB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F4B10 0_2_00007FFC682F4B10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C7B10 0_2_00007FFC682C7B10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C7310 0_2_00007FFC682C7310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C9B70 0_2_00007FFC682C9B70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F9360 0_2_00007FFC682F9360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68295350 0_2_00007FFC68295350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A23B0 0_2_00007FFC682A23B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C9390 0_2_00007FFC682C9390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F1B80 0_2_00007FFC682F1B80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B6BF0 0_2_00007FFC682B6BF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B7BE0 0_2_00007FFC682B7BE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A83D0 0_2_00007FFC682A83D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BC3D0 0_2_00007FFC682BC3D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BEC30 0_2_00007FFC682BEC30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68295C20 0_2_00007FFC68295C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682CA400 0_2_00007FFC682CA400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C0450 0_2_00007FFC682C0450
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B1C40 0_2_00007FFC682B1C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B8C40 0_2_00007FFC682B8C40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A54B0 0_2_00007FFC682A54B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A74A0 0_2_00007FFC682A74A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C2C80 0_2_00007FFC682C2C80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F84D0 0_2_00007FFC682F84D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682DED20 0_2_00007FFC682DED20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A3D60 0_2_00007FFC682A3D60
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B95B0 0_2_00007FFC682B95B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6829C5A0 0_2_00007FFC6829C5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F9580 0_2_00007FFC682F9580
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C45F0 0_2_00007FFC682C45F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6829DDE0 0_2_00007FFC6829DDE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6830D650 0_2_00007FFC6830D650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68291620 0_2_00007FFC68291620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682EFE10 0_2_00007FFC682EFE10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C2610 0_2_00007FFC682C2610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68309E70 0_2_00007FFC68309E70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCE00 0_2_00007FFC682FCE00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A6670 0_2_00007FFC682A6670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A9660 0_2_00007FFC682A9660
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682EF650 0_2_00007FFC682EF650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B2650 0_2_00007FFC682B2650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C0650 0_2_00007FFC682C0650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F4640 0_2_00007FFC682F4640
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BF640 0_2_00007FFC682BF640
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCEB6 0_2_00007FFC682FCEB6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCEAD 0_2_00007FFC682FCEAD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCEA6 0_2_00007FFC682FCEA6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCE9D 0_2_00007FFC682FCE9D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCE94 0_2_00007FFC682FCE94
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68296E90 0_2_00007FFC68296E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FCE8B 0_2_00007FFC682FCE8B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682F6E80 0_2_00007FFC682F6E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68297E80 0_2_00007FFC68297E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BBE80 0_2_00007FFC682BBE80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C0EE0 0_2_00007FFC682C0EE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682E46D0 0_2_00007FFC682E46D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC683036C0 0_2_00007FFC683036C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682ACF30 0_2_00007FFC682ACF30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682C1730 0_2_00007FFC682C1730
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B1F10 0_2_00007FFC682B1F10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A8700 0_2_00007FFC682A8700
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682AC700 0_2_00007FFC682AC700
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682DDF40 0_2_00007FFC682DDF40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68296790 0_2_00007FFC68296790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682AD780 0_2_00007FFC682AD780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BDFE0 0_2_00007FFC682BDFE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682BEFD0 0_2_00007FFC682BEFD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC68291010 0_2_00007FFC68291010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A0870 0_2_00007FFC682A0870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682B1850 0_2_00007FFC682B1850
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682A9050 0_2_00007FFC682A9050
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F910D0 13_2_00007FF679F910D0
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F93940 13_2_00007FF679F93940
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9D574 13_2_00007FF679F9D574
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F92C60 13_2_00007FF679F92C60
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F92070 13_2_00007FF679F92070
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9F290 13_2_00007FF679F9F290
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9C6CC 13_2_00007FF679F9C6CC
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9ED30 13_2_00007FF679F9ED30
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FF67A421424 15_2_00007FF67A421424
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E31FE0 15_2_00007FFC67E31FE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4BF20 15_2_00007FFC67E4BF20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E27EA0 15_2_00007FFC67E27EA0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E46610 15_2_00007FFC67E46610
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E145F0 15_2_00007FFC67E145F0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3CC90 15_2_00007FFC67E3CC90
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E1A400 15_2_00007FFC67E1A400
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E19390 15_2_00007FFC67E19390
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E14310 15_2_00007FFC67E14310
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E28990 15_2_00007FFC67E28990
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E06190 15_2_00007FFC67E06190
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E13940 15_2_00007FFC67E13940
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E2B120 15_2_00007FFC67E2B120
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF0870 15_2_00007FFC67DF0870
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E01850 15_2_00007FFC67E01850
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF9050 15_2_00007FFC67DF9050
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE1010 15_2_00007FFC67DE1010
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0DFE0 15_2_00007FFC67E0DFE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0EFD0 15_2_00007FFC67E0EFD0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5A7BB 15_2_00007FFC67E5A7BB
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DFD780 15_2_00007FFC67DFD780
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5AF81 15_2_00007FFC67E5AF81
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE6790 15_2_00007FFC67DE6790
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E2DF40 15_2_00007FFC67E2DF40
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E11730 15_2_00007FFC67E11730
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DFCF30 15_2_00007FFC67DFCF30
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF8700 15_2_00007FFC67DF8700
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DFC700 15_2_00007FFC67DFC700
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E01F10 15_2_00007FFC67E01F10
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5EEF0 15_2_00007FFC67E5EEF0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E10EE0 15_2_00007FFC67E10EE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E346D0 15_2_00007FFC67E346D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E536C0 15_2_00007FFC67E536C0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CEAD 15_2_00007FFC67E4CEAD
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CEB6 15_2_00007FFC67E4CEB6
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CE9D 15_2_00007FFC67E4CE9D
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CEA6 15_2_00007FFC67E4CEA6
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE7E80 15_2_00007FFC67DE7E80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CE94 15_2_00007FFC67E4CE94
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0BE80 15_2_00007FFC67E0BE80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E46E80 15_2_00007FFC67E46E80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE6E90 15_2_00007FFC67DE6E90
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CE8B 15_2_00007FFC67E4CE8B
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E59E70 15_2_00007FFC67E59E70
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF9660 15_2_00007FFC67DF9660
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF6670 15_2_00007FFC67DF6670
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5D650 15_2_00007FFC67E5D650
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E10650 15_2_00007FFC67E10650
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3F650 15_2_00007FFC67E3F650
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0F640 15_2_00007FFC67E0F640
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5A63F 15_2_00007FFC67E5A63F
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E44640 15_2_00007FFC67E44640
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E02650 15_2_00007FFC67E02650
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE1620 15_2_00007FFC67DE1620
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E12610 15_2_00007FFC67E12610
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3FE10 15_2_00007FFC67E3FE10
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4CE00 15_2_00007FFC67E4CE00
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DEDDE0 15_2_00007FFC67DEDDE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E095B0 15_2_00007FFC67E095B0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DEC5A0 15_2_00007FFC67DEC5A0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E49580 15_2_00007FFC67E49580
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF3D60 15_2_00007FFC67DF3D60
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E2ED20 15_2_00007FFC67E2ED20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E484D0 15_2_00007FFC67E484D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF74A0 15_2_00007FFC67DF74A0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF54B0 15_2_00007FFC67DF54B0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E12C80 15_2_00007FFC67E12C80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5AC60 15_2_00007FFC67E5AC60
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E10450 15_2_00007FFC67E10450
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E01C40 15_2_00007FFC67E01C40
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E08C40 15_2_00007FFC67E08C40
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0EC30 15_2_00007FFC67E0EC30
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE5C20 15_2_00007FFC67DE5C20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E07BE0 15_2_00007FFC67E07BE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E06BF0 15_2_00007FFC67E06BF0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0C3D0 15_2_00007FFC67E0C3D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF83D0 15_2_00007FFC67DF83D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E37BB0 15_2_00007FFC67E37BB0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DF23B0 15_2_00007FFC67DF23B0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E41B80 15_2_00007FFC67E41B80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E19B70 15_2_00007FFC67E19B70
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E49360 15_2_00007FFC67E49360
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE5350 15_2_00007FFC67DE5350
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DEBB20 15_2_00007FFC67DEBB20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0DB20 15_2_00007FFC67E0DB20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E17B10 15_2_00007FFC67E17B10
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E17310 15_2_00007FFC67E17310
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E44B10 15_2_00007FFC67E44B10
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E10AF0 15_2_00007FFC67E10AF0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E5E2D0 15_2_00007FFC67E5E2D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0D2D0 15_2_00007FFC67E0D2D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E052D0 15_2_00007FFC67E052D0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E182B0 15_2_00007FFC67E182B0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E46AB0 15_2_00007FFC67E46AB0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DFFAB0 15_2_00007FFC67DFFAB0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E43270 15_2_00007FFC67E43270
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E47260 15_2_00007FFC67E47260
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E33A50 15_2_00007FFC67E33A50
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE7A40 15_2_00007FFC67DE7A40
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E02A50 15_2_00007FFC67E02A50
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E02210 15_2_00007FFC67E02210
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E419C0 15_2_00007FFC67E419C0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E1E190 15_2_00007FFC67E1E190
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E30990 15_2_00007FFC67E30990
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3E190 15_2_00007FFC67E3E190
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE2980 15_2_00007FFC67DE2980
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4B180 15_2_00007FFC67E4B180
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E49970 15_2_00007FFC67E49970
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E03960 15_2_00007FFC67E03960
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0A960 15_2_00007FFC67E0A960
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0E950 15_2_00007FFC67E0E950
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E45910 15_2_00007FFC67E45910
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DEB100 15_2_00007FFC67DEB100
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E03110 15_2_00007FFC67E03110
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4A0E0 15_2_00007FFC67E4A0E0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E0D0E0 15_2_00007FFC67E0D0E0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E058F0 15_2_00007FFC67E058F0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67DE18D0 15_2_00007FFC67DE18D0
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D1210D0 23_2_00007FF60D1210D0
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D122C60 23_2_00007FF60D122C60
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D122070 23_2_00007FF60D122070
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12F290 23_2_00007FF60D12F290
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12C6CC 23_2_00007FF60D12C6CC
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12ED30 23_2_00007FF60D12ED30
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12D574 23_2_00007FF60D12D574
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D123940 23_2_00007FF60D123940
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8591C 27_2_00007FF768F8591C
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F82F1C 27_2_00007FF768F82F1C
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F81254 27_2_00007FF768F81254
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F89160 27_2_00007FF768F89160
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8637C 27_2_00007FF768F8637C
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F87480 27_2_00007FF768F87480
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84794 27_2_00007FF768F84794
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F82CB8 27_2_00007FF768F82CB8
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F899BC 27_2_00007FF768F899BC
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8AAD4 27_2_00007FF768F8AAD4
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F896D8 27_2_00007FF768F896D8
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F871E0 27_2_00007FF768F871E0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84AFC 27_2_00007FF768F84AFC
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F89E10 27_2_00007FF768F89E10
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84008 27_2_00007FF768F84008
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2D7EA0 27_2_00007FFC6E2D7EA0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FBF20 27_2_00007FFC6E2FBF20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2E1FE0 27_2_00007FFC6E2E1FE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2ECC90 27_2_00007FFC6E2ECC90
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C45F0 27_2_00007FFC6E2C45F0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F6610 27_2_00007FFC6E2F6610
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C4310 27_2_00007FFC6E2C4310
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C9390 27_2_00007FFC6E2C9390
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2CA400 27_2_00007FFC6E2CA400
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2DB120 27_2_00007FFC6E2DB120
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C3940 27_2_00007FFC6E2C3940
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2D8990 27_2_00007FFC6E2D8990
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B6190 27_2_00007FFC6E2B6190
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCEB6 27_2_00007FFC6E2FCEB6
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCEAD 27_2_00007FFC6E2FCEAD
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCEA6 27_2_00007FFC6E2FCEA6
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCE9D 27_2_00007FFC6E2FCE9D
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCE94 27_2_00007FFC6E2FCE94
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E296E90 27_2_00007FFC6E296E90
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCE8B 27_2_00007FFC6E2FCE8B
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30EEF0 27_2_00007FFC6E30EEF0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F6E80 27_2_00007FFC6E2F6E80
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E297E80 27_2_00007FFC6E297E80
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BBE80 27_2_00007FFC6E2BBE80
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C0EE0 27_2_00007FFC6E2C0EE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2E46D0 27_2_00007FFC6E2E46D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E3036C0 27_2_00007FFC6E3036C0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2ACF30 27_2_00007FFC6E2ACF30
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C1730 27_2_00007FFC6E2C1730
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B1F10 27_2_00007FFC6E2B1F10
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A8700 27_2_00007FFC6E2A8700
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2AC700 27_2_00007FFC6E2AC700
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2DDF40 27_2_00007FFC6E2DDF40
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E296790 27_2_00007FFC6E296790
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2AD780 27_2_00007FFC6E2AD780
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30AF81 27_2_00007FFC6E30AF81
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BDFE0 27_2_00007FFC6E2BDFE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BEFD0 27_2_00007FFC6E2BEFD0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30A7BB 27_2_00007FFC6E30A7BB
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E291010 27_2_00007FFC6E291010
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A0870 27_2_00007FFC6E2A0870
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B1850 27_2_00007FFC6E2B1850
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A9050 27_2_00007FFC6E2A9050
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A54B0 27_2_00007FFC6E2A54B0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A74A0 27_2_00007FFC6E2A74A0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C2C80 27_2_00007FFC6E2C2C80
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F84D0 27_2_00007FFC6E2F84D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2DED20 27_2_00007FFC6E2DED20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A3D60 27_2_00007FFC6E2A3D60
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B95B0 27_2_00007FFC6E2B95B0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E29C5A0 27_2_00007FFC6E29C5A0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F9580 27_2_00007FFC6E2F9580
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E29DDE0 27_2_00007FFC6E29DDE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30A63F 27_2_00007FFC6E30A63F
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30D650 27_2_00007FFC6E30D650
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E291620 27_2_00007FFC6E291620
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2EFE10 27_2_00007FFC6E2EFE10
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C2610 27_2_00007FFC6E2C2610
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E309E70 27_2_00007FFC6E309E70
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FCE00 27_2_00007FFC6E2FCE00
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A6670 27_2_00007FFC6E2A6670
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A9660 27_2_00007FFC6E2A9660
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2EF650 27_2_00007FFC6E2EF650
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B2650 27_2_00007FFC6E2B2650
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C0650 27_2_00007FFC6E2C0650
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F4640 27_2_00007FFC6E2F4640
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BF640 27_2_00007FFC6E2BF640
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C82B0 27_2_00007FFC6E2C82B0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F6AB0 27_2_00007FFC6E2F6AB0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2AFAB0 27_2_00007FFC6E2AFAB0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30E2D0 27_2_00007FFC6E30E2D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C0AF0 27_2_00007FFC6E2C0AF0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B52D0 27_2_00007FFC6E2B52D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BD2D0 27_2_00007FFC6E2BD2D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E29BB20 27_2_00007FFC6E29BB20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BDB20 27_2_00007FFC6E2BDB20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F4B10 27_2_00007FFC6E2F4B10
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C7B10 27_2_00007FFC6E2C7B10
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C7310 27_2_00007FFC6E2C7310
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C9B70 27_2_00007FFC6E2C9B70
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F9360 27_2_00007FFC6E2F9360
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E295350 27_2_00007FFC6E295350
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2E7BB0 27_2_00007FFC6E2E7BB0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A23B0 27_2_00007FFC6E2A23B0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F1B80 27_2_00007FFC6E2F1B80
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B6BF0 27_2_00007FFC6E2B6BF0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B7BE0 27_2_00007FFC6E2B7BE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2A83D0 27_2_00007FFC6E2A83D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BC3D0 27_2_00007FFC6E2BC3D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BEC30 27_2_00007FFC6E2BEC30
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E295C20 27_2_00007FFC6E295C20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E30AC60 27_2_00007FFC6E30AC60
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C0450 27_2_00007FFC6E2C0450
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B1C40 27_2_00007FFC6E2B1C40
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B8C40 27_2_00007FFC6E2B8C40
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B58F0 27_2_00007FFC6E2B58F0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FA0E0 27_2_00007FFC6E2FA0E0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BD0E0 27_2_00007FFC6E2BD0E0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2918D0 27_2_00007FFC6E2918D0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F5910 27_2_00007FFC6E2F5910
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B3110 27_2_00007FFC6E2B3110
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E29B100 27_2_00007FFC6E29B100
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F9970 27_2_00007FFC6E2F9970
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B3960 27_2_00007FFC6E2B3960
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BA960 27_2_00007FFC6E2BA960
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2BE950 27_2_00007FFC6E2BE950
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2CE190 27_2_00007FFC6E2CE190
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2E0990 27_2_00007FFC6E2E0990
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2EE190 27_2_00007FFC6E2EE190
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FB180 27_2_00007FFC6E2FB180
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E292980 27_2_00007FFC6E292980
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F19C0 27_2_00007FFC6E2F19C0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B2210 27_2_00007FFC6E2B2210
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F3270 27_2_00007FFC6E2F3270
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2F7260 27_2_00007FFC6E2F7260
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2E3A50 27_2_00007FFC6E2E3A50
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B2A50 27_2_00007FFC6E2B2A50
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E297A40 27_2_00007FFC6E297A40
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9D3E4 30_2_00007FF7EAE9D3E4
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9CF6C 30_2_00007FF7EAE9CF6C
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA2858 30_2_00007FF7EAEA2858
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9B9FC 30_2_00007FF7EAE9B9FC
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE911A0 30_2_00007FF7EAE911A0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE99D80 30_2_00007FF7EAE99D80
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE91568 30_2_00007FF7EAE91568
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE8C568 30_2_00007FF7EAE8C568
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9D15C 30_2_00007FF7EAE9D15C
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9026C 30_2_00007FF7EAE9026C
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE98E50 30_2_00007FF7EAE98E50
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE8DA34 30_2_00007FF7EAE8DA34
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: String function: 00007FF768F8BA24 appears 90 times
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: String function: 00007FF7EAEA4DB2 appears 36 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682FBF20 NtQuerySystemInformation, 0_2_00007FFC682FBF20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682D6070 NtClose, 0_2_00007FFC682D6070
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F910D0 EtwRegisterTraceGuidsW,HeapSetInformation,EventRegister,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,memset,WinStationQueryInformationW,GetCommandLineW,swscanf_s,swscanf_s,swscanf_s,GlobalFree,NtOpenProcess,ImpersonateLoggedOnUser,GetUserPreferredUILanguages,RevertToSelf,SetProcessPreferredUILanguages,CoInitializeEx,ConvertStringSecurityDescriptorToSecurityDescriptorW,MakeAbsoluteSD,GetLastError,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,MakeAbsoluteSD,CoInitializeSecurity,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,memset,GetSidLengthRequired,LocalAlloc,InitializeSid,GetTokenInformation,GetSidSubAuthority,LocalFree,EtwEventWrite,EtwEventWrite,NtQueryVolumeInformationFile,EtwEventWrite,LocalAlloc,EtwSendNotification,LocalFree,NtQueryInformationToken,NtQueryInformationToken,NtClose,EtwEventWrite,EtwEventWrite,NtDuplicateObject,CloseHandle,NtWriteVirtualMemory,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,DestroyIcon,RtlNtStatusToDosError,RegGetValueW,RtlNtStatusToDosError,RtlNtStatusToDosError,RtlNtStatusToDosError,#2574,GetLastError,GetLastError,GetLastError,GetCurrentProcess,SetPriorityClass,GetLastError,EtwEventWrite,EtwEventWrite,RtlNtStatusToDosErrorNoTeb,NtClose,RtlNtStatusToDosError,RtlNtStatusToDosError,NtClose,TerminateThread,WaitForSingleObject,EtwEventWrite,EtwEventWrite,UninitLocalMsCtfMonitor,WaitForSingleObject,GetLastError,CloseHandle, 13_2_00007FF679F910D0
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F91F60 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,ImpersonateLoggedOnUser,RevertToSelf, 13_2_00007FF679F91F60
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F93380 HeapAlloc,NtReadVirtualMemory,NtDuplicateObject,NtDuplicateObject,EtwEventWrite,NtDuplicateObject,NtClose,NtClose,HeapFree, 13_2_00007FF679F93380
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F959B4 RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids, 13_2_00007FF679F959B4
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9AFD0 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb, 13_2_00007FF679F9AFD0
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess, 13_2_00007FF679F9A808
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9B020 NtQueryInformationToken,RtlNtStatusToDosError,LocalAlloc,NtQueryInformationToken,LocalFree,RtlSubAuthoritySid,RtlSubAuthoritySid, 13_2_00007FF679F9B020
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9AAB0 LocalAlloc,memset,memcpy,SeciAllocateAndSetCallFlags,RtlInitString,LsaRegisterLogonProcess,RtlNtStatusToDosError,NtAllocateLocallyUniqueId,LsaLogonUser,GetTokenInformation,GetTokenInformation,RtlEqualSid,GetLastError,LsaFreeReturnBuffer,CloseHandle,LsaDeregisterLogonProcess,CoTaskMemFree,LocalFree, 13_2_00007FF679F9AAB0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E26070 NtClose, 15_2_00007FFC67E26070
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E04850 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 15_2_00007FFC67E04850
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E4BF20 NtQuerySystemInformation, 15_2_00007FFC67E4BF20
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E145F0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 15_2_00007FFC67E145F0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E1ADF0 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 15_2_00007FFC67E1ADF0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E1A400 NtReadVirtualMemory, 15_2_00007FFC67E1A400
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E19390 NtDuplicateObject,RtlQueueApcWow64Thread, 15_2_00007FFC67E19390
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D1210D0 EtwRegisterTraceGuidsW,HeapSetInformation,EventRegister,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,memset,WinStationQueryInformationW,GetCommandLineW,swscanf_s,swscanf_s,swscanf_s,GlobalFree,NtOpenProcess,ImpersonateLoggedOnUser,GetUserPreferredUILanguages,RevertToSelf,SetProcessPreferredUILanguages,CoInitializeEx,ConvertStringSecurityDescriptorToSecurityDescriptorW,MakeAbsoluteSD,GetLastError,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,MakeAbsoluteSD,CoInitializeSecurity,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,memset,GetSidLengthRequired,LocalAlloc,InitializeSid,GetTokenInformation,GetSidSubAuthority,LocalFree,EtwEventWrite,EtwEventWrite,NtQueryVolumeInformationFile,EtwEventWrite,LocalAlloc,EtwSendNotification,LocalFree,NtQueryInformationToken,NtQueryInformationToken,NtClose,EtwEventWrite,EtwEventWrite,NtDuplicateObject,CloseHandle,NtWriteVirtualMemory,RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids,DestroyIcon,RtlNtStatusToDosError,RegGetValueW,RtlNtStatusToDosError,RtlNtStatusToDosError,RtlNtStatusToDosError,#2574,GetLastError,GetLastError,GetLastError,GetCurrentProcess,SetPriorityClass,GetLastError,EtwEventWrite,EtwEventWrite,RtlNtStatusToDosErrorNoTeb,NtClose,RtlNtStatusToDosError,RtlNtStatusToDosError,NtClose,TerminateThread,WaitForSingleObject,EtwEventWrite,EtwEventWrite,UninitLocalMsCtfMonitor,WaitForSingleObject,GetLastError,CloseHandle, 23_2_00007FF60D1210D0
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12AAB0 LocalAlloc,memset,memcpy,SeciAllocateAndSetCallFlags,RtlInitString,LsaRegisterLogonProcess,RtlNtStatusToDosError,NtAllocateLocallyUniqueId,LsaLogonUser,GetTokenInformation,GetTokenInformation,RtlEqualSid,GetLastError,LsaFreeReturnBuffer,CloseHandle,LsaDeregisterLogonProcess,CoTaskMemFree,LocalFree, 23_2_00007FF60D12AAB0
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D121F60 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb,ImpersonateLoggedOnUser,RevertToSelf, 23_2_00007FF60D121F60
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D1259B4 RtlInitString,LsaRegisterLogonProcess,RtlInitString,LsaLookupAuthenticationPackage,LsaCallAuthenticationPackage,LsaDeregisterLogonProcess,LocalAlloc,EtwSendNotification,LocalFree,NtClose,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,LocalFree,NtClose,NtClose,LocalFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,CertFreeCertificateContext,memset,EventUnregister,CoUninitialize,EtwUnregisterTraceGuids, 23_2_00007FF60D1259B4
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D123380 HeapAlloc,NtReadVirtualMemory,NtDuplicateObject,NtDuplicateObject,EtwEventWrite,NtDuplicateObject,NtClose,NtClose,HeapFree, 23_2_00007FF60D123380
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12AFD0 NtDuplicateToken,RtlNtStatusToDosErrorNoTeb, 23_2_00007FF60D12AFD0
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12B020 NtQueryInformationToken,RtlNtStatusToDosError,LocalAlloc,NtQueryInformationToken,LocalFree,RtlSubAuthoritySid,RtlSubAuthoritySid, 23_2_00007FF60D12B020
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D12A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess, 23_2_00007FF60D12A808
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2FBF20 NtQuerySystemInformation, 27_2_00007FFC6E2FBF20
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2D6070 NtClose, 27_2_00007FFC6E2D6070
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2B4850 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 27_2_00007FFC6E2B4850
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2CADF0 CreateFileMappingW,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 27_2_00007FFC6E2CADF0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C45F0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 27_2_00007FFC6E2C45F0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2C9390 NtDuplicateObject,RtlQueueApcWow64Thread, 27_2_00007FFC6E2C9390
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2CA400 NtReadVirtualMemory, 27_2_00007FFC6E2CA400
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE90BF8 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 30_2_00007FF7EAE90BF8
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA2388 NtQueryLicenseValue, 30_2_00007FF7EAEA2388
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE90F60 memset,NtQueryInformationProcess,DbgPrintEx,NtOpenKey,RtlInitUnicodeStringEx,NtQueryValueKey,DbgPrintEx,CloseHandle, 30_2_00007FF7EAE90F60
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA20F0 NtAllocateVirtualMemory,NtClose,memmove,NtDeviceIoControlFile,NtFreeVirtualMemory,NtClose, 30_2_00007FF7EAEA20F0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA207C NtCreateFile, 30_2_00007FF7EAEA207C
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA2858 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue, 30_2_00007FF7EAEA2858
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9F450 memset,RtlInitUnicodeString,NtSetSystemInformation, 30_2_00007FF7EAE9F450
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9F1BC memset,RtlAdjustPrivilege,NtSetSystemInformation,NtSetSystemInformation,RtlInitUnicodeString,NtSetSystemInformation,RtlAdjustPrivilege, 30_2_00007FF7EAE9F1BC
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE911A0 memset,memset,VirtualAlloc,NtOpenKey,memset,NtQueryValueKey,DbgPrintEx,memset,NtQueryValueKey,memset,NtQueryValueKey,memset,NtQueryValueKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,DbgPrintEx,DbgPrintEx,NtClose,VirtualFree, 30_2_00007FF7EAE911A0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE83598 memset,NtSuspendProcess,WerReportCreate,WerpGetReportFlags,WerpSetCallBack,WerReportSubmit,WerReportCloseHandle,NtResumeProcess, 30_2_00007FF7EAE83598
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA3990 NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlAllocateHeap,memset,NtQueryInformationToken,RtlNtStatusToDosErrorNoTeb,RtlInitUnicodeString,RtlCompareUnicodeString, 30_2_00007FF7EAEA3990
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE89990 memset,ZwQueryInformationThread,ReadProcessMemory,GetLastError, 30_2_00007FF7EAE89990
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9E980 IsWindow,_wcsicmp,memset,NtQuerySystemInformation, 30_2_00007FF7EAE9E980
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE91568 memset,GetProcessId,GetLastError,VirtualAlloc,GetCurrentProcess,DuplicateHandle,CreateEventW,NtQuerySystemInformation,GetThreadId,VirtualAllocEx,WriteProcessMemory,RtlDetermineDosPathNameType_U,RtlGetNtSystemRoot,DbgPrintEx,DbgPrintEx,RtlGetCurrentTransaction,RtlSetCurrentTransaction,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,DbgPrintEx,InitializeProcThreadAttributeList,GetLastError,GetLastError,VirtualAlloc,InitializeProcThreadAttributeList,GetLastError,UpdateProcThreadAttribute,GetLastError,CreateProcessW,GetLastError,NtWaitForMultipleObjects,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,VirtualFree,RtlSetCurrentTransaction,CloseHandle,VirtualFree, 30_2_00007FF7EAE91568
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE95140 NtQueryInformationProcess, 30_2_00007FF7EAE95140
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE92920 ZwQueryInformationThread,GetProcessId,I_QueryTagInformation,LocalFree,wcschr,RegOpenKeyExW,RegCloseKey, 30_2_00007FF7EAE92920
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE90EE8 memset,NtQueryInformationProcess,DbgPrintEx, 30_2_00007FF7EAE90EE8
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE90AE0 DbgPrintEx,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,ReadProcessMemory,DbgPrintEx,GetLastError, 30_2_00007FF7EAE90AE0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE89AD8 memset,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,memset,ReadProcessMemory, 30_2_00007FF7EAE89AD8
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA2268 NtDeviceIoControlFile,NtClose, 30_2_00007FF7EAEA2268
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE8DA34 ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,NtQuerySystemInformation,NtOpenEvent,NtWaitForSingleObject,NtClose,RtlAllocateAndInitializeSid,RtlInitUnicodeString,memset,NtAlpcConnectPort,memset,NtAlpcSendWaitReceivePort,RtlFreeSid,NtClose, 30_2_00007FF7EAE8DA34
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA20F0: NtAllocateVirtualMemory,NtClose,memmove,NtDeviceIoControlFile,NtFreeVirtualMemory,NtClose, 30_2_00007FF7EAEA20F0
Sample file is different than original file name gathered from version info
Source: dry.dll Binary or memory string: OriginalFilenamestreams.exeJ vs dry.dll
PE file contains strange resources
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: consent.exe0.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: DUI70.dll.5.dr Static PE information: Number of sections : 12 > 10
Source: WINSTA.dll.5.dr Static PE information: Number of sections : 12 > 10
Source: UxTheme.dll.5.dr Static PE information: Number of sections : 12 > 10
Source: WMsgAPI.dll.5.dr Static PE information: Number of sections : 11 > 10
Source: VERSION.dll.5.dr Static PE information: Number of sections : 12 > 10
Source: VERSION.dll0.5.dr Static PE information: Number of sections : 12 > 10
Source: dry.dll Static PE information: Number of sections : 11 > 10
Source: XmlLite.dll.5.dr Static PE information: Number of sections : 12 > 10
Source: dry.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WMsgAPI.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll0.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dry.dll Virustotal: Detection: 70%
Source: dry.dll Metadefender: Detection: 55%
Source: dry.dll ReversingLabs: Detection: 82%
Source: dry.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\dry.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\DLKXiO\consent.exe C:\Users\user\AppData\Local\DLKXiO\consent.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpshell.exe C:\Windows\system32\rdpshell.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\GsjW\sppsvc.exe C:\Users\user\AppData\Local\GsjW\sppsvc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe C:\Users\user\AppData\Local\0rPbJb\SndVol.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingCodePage Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReaderInputWithEncodingName Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\DLKXiO\consent.exe C:\Users\user\AppData\Local\DLKXiO\consent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SysResetErr.exe C:\Windows\system32\SysResetErr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\consent.exe C:\Windows\system32\consent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpshell.exe C:\Windows\system32\rdpshell.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmstp.exe C:\Windows\system32\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe C:\Users\user\AppData\Local\y1c6p\cmstp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\DWWIN.EXE Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\GsjW\sppsvc.exe C:\Users\user\AppData\Local\GsjW\sppsvc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle, 27_2_00007FF768F84794
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: DWWIN.EXE.5.dr Binary string: S\Device\IPTOptInLevelNtQuerySecurityPolicySoftware\Microsoft\Windows\CurrentVersion\Policies\DataCollection\UsersSoftware\Microsoft\Windows\CurrentVersion\Policies\DataCollectionAllowTelemetrypolicymanager.dllPolicyManager_GetPolicyPolicyManager_FreeGetPolicyDataSystemLimitEnhancedDiagnosticDataWindowsAnalyticsConfigureTelemetryOptInChangeNotificationDisableTelemetryOptInChangeNotificationConfigureTelemetryOptInSettingsUxDisableTelemetryOptInSettingsUxSoftware\Policies\Microsoft\Windows\DataCollectiononecore\base\telemetry\permission\product\telemetrypermission.cppTelemetryPermission-AllowDisableTelemetryPermission-DefaultLevelKernel-ProductInfoAllowTelemetry_PolicyManagerReserved.PlatformSignedCodeIntegrity.Telemetry
Source: DWWIN.EXE.5.dr Binary string: %X%sInPageCoFireInPageError%s\system32\cofire.exe"%s" "%s" "%s"\Device\LanmanRedirector\%s :psapi.dllGetMappedFileNameWsfc_os.dllSfcIsFileProtectedFindFirstFileNameWFindNextFileNameWwdi.dll;D
Source: classification engine Classification label: mal100.troj.evad.winDLL@45/15@5/0
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F92C60 memset,ImpersonateLoggedOnUser,RevertToSelf,CoTaskMemFree,GetSystemMetrics,CoCreateInstance,GetDriveTypeW,memset,GetLastError, 13_2_00007FF679F92C60
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9E55C OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,RtlInitUnicodeString, 30_2_00007FF7EAE9E55C
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E1B420 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next, 15_2_00007FFC67E1B420
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dry.dll,CreateXmlReader
Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Mutant created: \Sessions\1\BaseNamedObjects\{b1a0966b-ebe1-a316-4592-063e04716434}
Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Mutant created: \Sessions\1\BaseNamedObjects\{a32f501c-157b-d61c-09ee-04263fde8dbb}
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679FA0E88 FindResourceExW,LoadResource,LockResource, 13_2_00007FF679FA0E88
Source: cmstp.exe String found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"
Source: DWWIN.EXE String found in binary or memory: %s /stop
Source: DWWIN.EXE String found in binary or memory: %s /stop
Source: dry.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: dry.dll Static file information: File size 1372160 > 1048576
Source: dry.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: dry.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: consent.pdb source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
Source: Binary string: cmstp.pdbGCTL source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
Source: Binary string: FFgnji|RgnjiR.pdb source: SysResetErr.exe, 0000000F.00000002.410461412.00000204E63D7000.00000004.00000020.00020000.00000000.sdmp, SysResetErr.exe, 0000000F.00000002.410154109.00000204E622E000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448408637.0000016FCD5A2000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000001B.00000002.448269347.0000016FCD449000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.476969443.0000025594C81000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 0000001E.00000002.477066927.0000025594DE1000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513393199.0000029561289000.00000004.00000020.00020000.00000000.sdmp, sppsvc.exe, 00000023.00000002.513278214.0000029561127000.00000004.00000020.00020000.00000000.sdmp, dry.dll, VERSION.dll.5.dr, VERSION.dll0.5.dr, UxTheme.dll.5.dr, WINSTA.dll.5.dr, DUI70.dll.5.dr, XmlLite.dll.5.dr, WMsgAPI.dll.5.dr
Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
Source: Binary string: SysResetErr.pdb source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
Source: Binary string: dwwin.pdbGCTL source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
Source: Binary string: cmstp.pdb source: cmstp.exe, 0000001B.00000002.448541294.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe, 0000001B.00000000.426211728.00007FF768F8F000.00000002.00000001.01000000.0000000B.sdmp, cmstp.exe.5.dr
Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000023.00000000.488372541.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe, 00000023.00000002.514242869.00007FF6A254B000.00000002.00000001.01000000.0000000F.sdmp, sppsvc.exe.5.dr
Source: Binary string: dwwin.pdb source: DWWIN.EXE, 0000001E.00000000.454947885.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE, 0000001E.00000002.477319814.00007FF7EAEA6000.00000002.00000001.01000000.0000000D.sdmp, DWWIN.EXE.5.dr
Source: Binary string: consent.pdbUGP source: consent.exe, 0000000D.00000000.375430040.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 0000000D.00000002.376843046.00007FF679FA1000.00000002.00000001.01000000.00000007.sdmp, consent.exe, 00000017.00000000.417554670.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe, 00000017.00000002.418228151.00007FF60D131000.00000002.00000001.01000000.0000000A.sdmp, consent.exe0.5.dr, consent.exe.5.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr
Source: Binary string: SysResetErr.pdbGCTL source: SysResetErr.exe, 0000000F.00000000.387584584.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe, 0000000F.00000002.410882238.00007FF67A426000.00000002.00000001.01000000.00000008.sdmp, SysResetErr.exe.5.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682E7E4C push rax; iretd 0_2_00007FFC682E7E4D
PE file contains sections with non-standard names
Source: dry.dll Static PE information: section name: .cwkw
Source: dry.dll Static PE information: section name: .pbpwn
Source: dry.dll Static PE information: section name: .pem
Source: dry.dll Static PE information: section name: .vpd
Source: dry.dll Static PE information: section name: .ianurq
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: sppsvc.exe.5.dr Static PE information: section name: ?g_Encry
Source: SndVol.exe.5.dr Static PE information: section name: .imrsiv
Source: SndVol.exe.5.dr Static PE information: section name: .didat
Source: consent.exe.5.dr Static PE information: section name: .didat
Source: consent.exe.5.dr Static PE information: section name: consent
Source: SysResetErr.exe.5.dr Static PE information: section name: .imrsiv
Source: consent.exe0.5.dr Static PE information: section name: .didat
Source: consent.exe0.5.dr Static PE information: section name: consent
Source: XmlLite.dll.5.dr Static PE information: section name: .cwkw
Source: XmlLite.dll.5.dr Static PE information: section name: .pbpwn
Source: XmlLite.dll.5.dr Static PE information: section name: .pem
Source: XmlLite.dll.5.dr Static PE information: section name: .vpd
Source: XmlLite.dll.5.dr Static PE information: section name: .ianurq
Source: XmlLite.dll.5.dr Static PE information: section name: .lvil
Source: UxTheme.dll.5.dr Static PE information: section name: .cwkw
Source: UxTheme.dll.5.dr Static PE information: section name: .pbpwn
Source: UxTheme.dll.5.dr Static PE information: section name: .pem
Source: UxTheme.dll.5.dr Static PE information: section name: .vpd
Source: UxTheme.dll.5.dr Static PE information: section name: .ianurq
Source: UxTheme.dll.5.dr Static PE information: section name: .ilyvtg
Source: WMsgAPI.dll.5.dr Static PE information: section name: .cwkw
Source: WMsgAPI.dll.5.dr Static PE information: section name: .pbpwn
Source: WMsgAPI.dll.5.dr Static PE information: section name: .pem
Source: WMsgAPI.dll.5.dr Static PE information: section name: .vpd
Source: WMsgAPI.dll.5.dr Static PE information: section name: .ianurq
Source: DUI70.dll.5.dr Static PE information: section name: .cwkw
Source: DUI70.dll.5.dr Static PE information: section name: .pbpwn
Source: DUI70.dll.5.dr Static PE information: section name: .pem
Source: DUI70.dll.5.dr Static PE information: section name: .vpd
Source: DUI70.dll.5.dr Static PE information: section name: .ianurq
Source: DUI70.dll.5.dr Static PE information: section name: .dqihw
Source: WINSTA.dll.5.dr Static PE information: section name: .cwkw
Source: WINSTA.dll.5.dr Static PE information: section name: .pbpwn
Source: WINSTA.dll.5.dr Static PE information: section name: .pem
Source: WINSTA.dll.5.dr Static PE information: section name: .vpd
Source: WINSTA.dll.5.dr Static PE information: section name: .ianurq
Source: WINSTA.dll.5.dr Static PE information: section name: .kfs
Source: VERSION.dll.5.dr Static PE information: section name: .cwkw
Source: VERSION.dll.5.dr Static PE information: section name: .pbpwn
Source: VERSION.dll.5.dr Static PE information: section name: .pem
Source: VERSION.dll.5.dr Static PE information: section name: .vpd
Source: VERSION.dll.5.dr Static PE information: section name: .ianurq
Source: VERSION.dll.5.dr Static PE information: section name: .fez
Source: VERSION.dll0.5.dr Static PE information: section name: .cwkw
Source: VERSION.dll0.5.dr Static PE information: section name: .pbpwn
Source: VERSION.dll0.5.dr Static PE information: section name: .pem
Source: VERSION.dll0.5.dr Static PE information: section name: .vpd
Source: VERSION.dll0.5.dr Static PE information: section name: .ianurq
Source: VERSION.dll0.5.dr Static PE information: section name: .jksgp
Source: DWWIN.EXE.5.dr Static PE information: section name: .didat
Binary contains a suspicious time stamp
Source: SndVol.exe.5.dr Static PE information: 0x6E534A77 [Sun Aug 27 01:25:11 2028 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Source: initial sample Static PE information: section name: .text entropy: 7.76153125253
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\y1c6p\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\GsjW\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\DLKXiO\WMsgAPI.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oudoiG\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\0rPbJb\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\DLKXiO\consent.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\s8hTTPzEx\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\dfAZPUGwQ\WINSTA.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8591C memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,CmMalloc,GetPrivateProfileStringW,CmRealloc,CmMalloc,GetPrivateProfileStringW,CmRealloc,GetPrivateProfileStringW,GetPrivateProfileStringW,WritePrivateProfileStringW,lstrlenW,lstrlenW,WritePrivateProfileStringW,CmFree,CmFree,GetSystemDirectoryW, 27_2_00007FF768F8591C
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F89160 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,CmFree, 27_2_00007FF768F89160
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F86068 RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey, 27_2_00007FF768F86068
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8637C GetSystemDirectoryW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,LoadStringW,MessageBoxW, 27_2_00007FF768F8637C
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F87480 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,LoadStringW,MessageBoxW,CmFree,GetPrivateProfileIntW,CmFree,lstrlenW,CmFree,CmFree,LoadStringW,MessageBoxW,WritePrivateProfileStringW,WritePrivateProfileStringW,CmFree,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,CmMalloc,GetPrivateProfileStringW,CmRealloc,CmMalloc,GetPrivateProfileStringW,CmRealloc,GetPrivateProfileStringW,GetPrivateProfileStringW,WritePrivateProfileStringW,lstrlenW,lstrlenW,WritePrivateProfileStringW,CmFree,CmFree,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,GetOSVersion,GetOSMajorVersion,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,GetOSVersion,GetOSMajorVersion,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,ReleaseMutex,CloseHandle,CmMalloc,memset,CmFree,CmMalloc,memset,ShellExecuteExW,GetLastError,SHGetMalloc,CoUninitialize,LoadStringW,MessageBoxW,CmFree,CmFree, 27_2_00007FF768F87480
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8AAD4 memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,lstrlenW,RegSetValueExW,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,memset,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,GetOSVersion,GetOSMajorVersion,CreateFileW,CloseHandle,GetOSVersion,GetOSMajorVersion,CmFree,GetPrivateProfileIntW,SetFileAttributesW,memset,SHFileOperationW,RegCloseKey,RegCloseKey, 27_2_00007FF768F8AAD4
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F81000 GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadLibraryExW,GetProcAddress,GetProcAddress,FreeLibrary, 27_2_00007FF768F81000
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F89E10 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey, 27_2_00007FF768F89E10
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE9E55C OpenSCManagerW,OpenServiceW,StartServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,RtlInitUnicodeString, 30_2_00007FF7EAE9E55C
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe API coverage: 2.0 %
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe API coverage: 2.0 %
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe API coverage: 6.5 %
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE API coverage: 0.4 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682ECC90 GetSystemInfo, 0_2_00007FFC682ECC90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682EDBE0 FindFirstFileExW, 0_2_00007FFC682EDBE0
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FFC67E3DBE0 FindFirstFileExW, 15_2_00007FFC67E3DBE0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F871E0 memset,GetPrivateProfileStringW,FindFirstFileW,wcscmp,memset,FindNextFileW, 27_2_00007FF768F871E0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F84008 memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,lstrlenW,CmMalloc,CmFree,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose, 27_2_00007FF768F84008
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FFC6E2EDBE0 FindFirstFileExW, 27_2_00007FFC6E2EDBE0
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE96678 memset,StrStrIW,GetLogicalDriveStringsW,QueryDosDeviceW,StrStrIW, 30_2_00007FF7EAE96678
Source: explorer.exe, 00000005.00000000.300736348.000000000EE50000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.300001860.0000000008957000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.299785013.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000005.00000000.309086880.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000005.00000000.309086880.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000005.00000000.312524507.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F95014 IsDebuggerPresent, 13_2_00007FF679F95014
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FF67A422940 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW, 15_2_00007FF67A422940
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F97944 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 13_2_00007FF679F97944
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC682D7EA0 LdrLoadDll,FindClose, 0_2_00007FFC682D7EA0
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F94940 SetUnhandledExceptionFilter, 13_2_00007FF679F94940
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F94630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF679F94630
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FF67A423C80 SetUnhandledExceptionFilter, 15_2_00007FF67A423C80
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Code function: 15_2_00007FF67A423F04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF67A423F04
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D124940 SetUnhandledExceptionFilter, 23_2_00007FF60D124940
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: 23_2_00007FF60D124630 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00007FF60D124630
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8EC00 SetUnhandledExceptionFilter, 27_2_00007FF768F8EC00
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8E910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_00007FF768F8E910
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA4060 SetUnhandledExceptionFilter, 30_2_00007FF7EAEA4060
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAEA466C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF7EAEA466C

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: XmlLite.dll.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Code function: 30_2_00007FF7EAE91568 memset,GetProcessId,GetLastError,VirtualAlloc,GetCurrentProcess,DuplicateHandle,CreateEventW,NtQuerySystemInformation,GetThreadId,VirtualAllocEx,WriteProcessMemory,RtlDetermineDosPathNameType_U,RtlGetNtSystemRoot,DbgPrintEx,DbgPrintEx,RtlGetCurrentTransaction,RtlSetCurrentTransaction,NtQueryInformationProcess,DbgPrintEx,DbgPrintEx,DbgPrintEx,InitializeProcThreadAttributeList,GetLastError,GetLastError,VirtualAlloc,InitializeProcThreadAttributeList,GetLastError,UpdateProcThreadAttribute,GetLastError,CreateProcessW,GetLastError,NtWaitForMultipleObjects,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,VirtualFree,RtlSetCurrentTransaction,CloseHandle,VirtualFree, 30_2_00007FF7EAE91568
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F9A808 memset,RtlAdjustPrivilege,LsaRegisterLogonProcess,NtAllocateLocallyUniqueId,RegGetValueW,LsaLogonUser,LsaLogonUser,RtlNtStatusToDosError,NtClose,LsaFreeReturnBuffer,LsaDeregisterLogonProcess, 13_2_00007FF679F9A808
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dry.dll",#1 Jump to behavior
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F845D0 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary, 27_2_00007FF768F845D0
Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.291163470.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.335495634.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.305244854.0000000000B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.295269189.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: SndVol.exe, 00000025.00000000.519784312.00007FF7A30D2000.00000002.00000001.01000000.00000011.sdmp, SndVol.exe.5.dr Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000005.00000000.291491116.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.305437816.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.335801965.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.312590871.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.329692189.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.299785013.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndh
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\s8hTTPzEx\SysResetErr.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\oudoiG\DWWIN.EXE Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\GsjW\sppsvc.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\0rPbJb\SndVol.exe Queries volume information: unknown VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: _wtoi,GetLocaleInfoW,CoTaskMemAlloc,GetLocaleInfoW,CoTaskMemFree,CoTaskMemAlloc,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 13_2_00007FF679F9C0CC
Source: C:\Users\user\AppData\Local\dfAZPUGwQ\consent.exe Code function: _wtoi,GetLocaleInfoW,CoTaskMemAlloc,GetLocaleInfoW,CoTaskMemFree,CoTaskMemAlloc,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 23_2_00007FF60D12C0CC
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F94AD0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 13_2_00007FF679F94AD0
Source: C:\Users\user\AppData\Local\y1c6p\cmstp.exe Code function: 27_2_00007FF768F8CB20 memset,GetSystemInfo,GetVersionExW, 27_2_00007FF768F8CB20
Source: C:\Users\user\AppData\Local\DLKXiO\consent.exe Code function: 13_2_00007FF679F93940 LocalAlloc,ImpersonateLoggedOnUser,GetLastError,GetUserNameExW,GetLastError,RevertToSelf,wcschr,LoadUserProfileW,GetLastError,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,SetEvent,SetEvent,CloseHandle,CloseHandle,memset,ImpersonateLoggedOnUser,GetLastError,CreateFileW,GetLastError,wcsrchr,RevertToSelf,CloseHandle,CloseHandle,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,ConvertStringSecurityDescriptorToSecurityDescriptorW,CreateEventW,LocalFree,SetEvent,SetEvent,CloseHandle,CloseHandle,UnloadUserProfile,LocalFree,CloseHandle, 13_2_00007FF679F93940
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575240 Sample: dry.dll Startdate: 20/02/2022 Architecture: WINDOWS Score: 100 43 canonicalizer.ucsuri.tcs 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 rundll32.exe 9->18         started        signatures6 57 Changes memory attributes in foreign processes to executable or writable 11->57 59 Uses Atom Bombing / ProGate to inject into other processes 11->59 61 Queues an APC in another process (thread injection) 11->61 20 explorer.exe 2 52 11->20 injected 24 rundll32.exe 14->24         started        process7 file8 35 C:\Users\user\AppData\Local\...\DUI70.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\VERSION.dll, PE32+ 20->37 dropped 39 C:\Users\user\AppData\Local\...\DWWIN.EXE, PE32+ 20->39 dropped 41 11 other files (4 malicious) 20->41 dropped 53 Benign windows process drops PE files 20->53 26 DWWIN.EXE 20->26         started        29 cmstp.exe 20->29         started        31 SysResetErr.exe 20->31         started        33 14 other processes 20->33 signatures9 process10 signatures11 55 Contains functionality to inject code into remote processes 26->55
No contacted IP infos

Contacted Domains

Name IP Active
canonicalizer.ucsuri.tcs unknown unknown