Windows Analysis Report
CJu1sWJfWk

Overview

General Information

Sample Name: CJu1sWJfWk (renamed file extension from none to dll)
Analysis ID: 595319
MD5: 2a52d4cc48659ad06386e6f1ddb17613
SHA1: fb551a1f927e6b86fb2e8281d4f09a753e5a7f5b
SHA256: ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Registers a DLL
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CJu1sWJfWk.dll Virustotal: Detection: 76% Perma Link
Source: CJu1sWJfWk.dll Metadefender: Detection: 62% Perma Link
Source: CJu1sWJfWk.dll ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: CJu1sWJfWk.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\KN4et9\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\PVsO8HfRn\dwmapi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\ns1MY\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\YMJtPINjt\WINMM.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\PVsO8HfRn\dwmapi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\qpscHm\MFC42u.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4hM96ANL\ReAgent.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\KN4et9\WINSTA.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\ns1MY\WTSAPI32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\oQi\VERSION.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\iSZdEuUQU\mmcbase.DLL Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\oNo29a9yW\MFPlat.DLL Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Machine Learning detection for sample
Source: CJu1sWJfWk.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\KN4et9\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\PVsO8HfRn\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ns1MY\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\YMJtPINjt\WINMM.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\PVsO8HfRn\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\qpscHm\MFC42u.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4hM96ANL\ReAgent.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\KN4et9\WINSTA.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\ns1MY\WTSAPI32.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\oQi\VERSION.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\iSZdEuUQU\mmcbase.DLL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\oNo29a9yW\MFPlat.DLL Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A02D94 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext, 32_2_00007FF7C6A02D94
Source: CJu1sWJfWk.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.576973852.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp, slui.exe, 0000001C.00000002.602092427.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000024.00000000.719410189.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp, FXSCOVER.exe, 00000024.00000002.744580898.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: irftp.pdbGCTL source: irftp.exe, 00000015.00000002.571923555.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp, irftp.exe, 00000015.00000000.532927512.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001E.00000002.641878378.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp, mfpmp.exe, 0000001E.00000000.618202747.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000020.00000000.647965981.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp, rdpinit.exe, 00000020.00000002.672090134.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000020.00000000.647965981.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp, rdpinit.exe, 00000020.00000002.672090134.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001E.00000002.641878378.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp, mfpmp.exe, 0000001E.00000000.618202747.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: systemreset.pdb source: systemreset.exe, 00000012.00000002.527294557.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp, systemreset.exe, 00000012.00000000.501974007.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000024.00000000.719410189.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp, FXSCOVER.exe, 00000024.00000002.744580898.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 00000022.00000000.677391115.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp, Dxpserver.exe, 00000022.00000002.701873761.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: systemreset.pdbGCTL source: systemreset.exe, 00000012.00000002.527294557.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp, systemreset.exe, 00000012.00000000.501974007.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.576973852.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp, slui.exe, 0000001C.00000002.602092427.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 00000022.00000000.677391115.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp, Dxpserver.exe, 00000022.00000002.701873761.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: irftp.pdb source: irftp.exe, 00000015.00000002.571923555.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp, irftp.exe, 00000015.00000000.532927512.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2BED10 FindFirstFileExW, 0_2_00007FFF2F2BED10
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464A9EC memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError, 18_2_00007FF6C464A9EC
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464B1D0 FindFirstFileW,FindNextFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,GetLastError,SetLastError, 18_2_00007FF6C464B1D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46374A0 memset,FindFirstFileW,FindClose,PostMessageW, 18_2_00007FF6C46374A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2EED10 FindFirstFileExW, 18_2_00007FFF2F2EED10
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose, 21_2_00007FF66927B908
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose, 21_2_00007FF66927C018
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E86ED10 FindFirstFileExW, 21_2_00007FFF2E86ED10
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927A6E8 select,recv,GetLastError,select, 21_2_00007FF66927A6E8

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 32.2.rdpinit.exe.7fff2f290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.slui.exe.7fff2f290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.systemreset.exe.7fff2f290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.mfpmp.exe.7fff2f290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.FXSCOVER.exe.7fff2f280000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.irftp.exe.7fff2e810000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Dxpserver.exe.7fff2f290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.7fff2f260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000002.744653050.00007FFF2F281000.00000020.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.672187503.00007FFF2F291000.00000020.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.774985699.00007FFF2E811000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.367061712.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.810456162.00007FFF2F291000.00000020.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.701945948.00007FFF2F291000.00000020.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.386333587.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.490083251.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.602217664.00007FFF2F291000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.380243641.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.527531881.00007FFF2F291000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.366294704.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.572046007.00007FFF2E811000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.372913462.00007FFF2F261000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.641971707.00007FFF2F291000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2A97D0 0_2_00007FFF2F2A97D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C7650 0_2_00007FFF2F2C7650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CD520 0_2_00007FFF2F2CD520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2BDDC0 0_2_00007FFF2F2BDDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2ACA50 0_2_00007FFF2F2ACA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F29AA70 0_2_00007FFF2F29AA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2AA2C0 0_2_00007FFF2F2AA2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2B3150 0_2_00007FFF2F2B3150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2959F0 0_2_00007FFF2F2959F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F295020 0_2_00007FFF2F295020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F287880 0_2_00007FFF2F287880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F282F50 0_2_00007FFF2F282F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C0F30 0_2_00007FFF2F2C0F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28872B 0_2_00007FFF2F28872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F266790 0_2_00007FFF2F266790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2DEF80 0_2_00007FFF2F2DEF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CC780 0_2_00007FFF2F2CC780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F27E770 0_2_00007FFF2F27E770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C0770 0_2_00007FFF2F2C0770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C5760 0_2_00007FFF2F2C5760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F27A7D0 0_2_00007FFF2F27A7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F278FC0 0_2_00007FFF2F278FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28E7B0 0_2_00007FFF2F28E7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2DB7A0 0_2_00007FFF2F2DB7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F261010 0_2_00007FFF2F261010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F284800 0_2_00007FFF2F284800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2D4FF0 0_2_00007FFF2F2D4FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F286FE0 0_2_00007FFF2F286FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2B0650 0_2_00007FFF2F2B0650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F261620 0_2_00007FFF2F261620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F26DE20 0_2_00007FFF2F26DE20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F266E90 0_2_00007FFF2F266E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F267E80 0_2_00007FFF2F267E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F278670 0_2_00007FFF2F278670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C7EC0 0_2_00007FFF2F2C7EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28F6B0 0_2_00007FFF2F28F6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CA6B0 0_2_00007FFF2F2CA6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2906A0 0_2_00007FFF2F2906A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F283D50 0_2_00007FFF2F283D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28D550 0_2_00007FFF2F28D550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F291D30 0_2_00007FFF2F291D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F279D70 0_2_00007FFF2F279D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2795C0 0_2_00007FFF2F2795C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2925C0 0_2_00007FFF2F2925C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F26C5A0 0_2_00007FFF2F26C5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F283610 0_2_00007FFF2F283610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F292E10 0_2_00007FFF2F292E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2765E0 0_2_00007FFF2F2765E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F265C20 0_2_00007FFF2F265C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F275420 0_2_00007FFF2F275420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE49D 0_2_00007FFF2F2CE49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE494 0_2_00007FFF2F2CE494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CA490 0_2_00007FFF2F2CA490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE48B 0_2_00007FFF2F2CE48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28AC80 0_2_00007FFF2F28AC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F273CD0 0_2_00007FFF2F273CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F295CD0 0_2_00007FFF2F295CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE4B6 0_2_00007FFF2F2CE4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE4AD 0_2_00007FFF2F2CE4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C2CA0 0_2_00007FFF2F2C2CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE4A6 0_2_00007FFF2F2CE4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F290D10 0_2_00007FFF2F290D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F293CF0 0_2_00007FFF2F293CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F265350 0_2_00007FFF2F265350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C5B50 0_2_00007FFF2F2C5B50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F283340 0_2_00007FFF2F283340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F278340 0_2_00007FFF2F278340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F291B30 0_2_00007FFF2F291B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F26BB20 0_2_00007FFF2F26BB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C4390 0_2_00007FFF2F2C4390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F294360 0_2_00007FFF2F294360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2B4BC0 0_2_00007FFF2F2B4BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F277410 0_2_00007FFF2F277410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C9410 0_2_00007FFF2F2C9410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CE400 0_2_00007FFF2F2CE400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2723F0 0_2_00007FFF2F2723F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F29B250 0_2_00007FFF2F29B250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F267A40 0_2_00007FFF2F267A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CB260 0_2_00007FFF2F2CB260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2892C0 0_2_00007FFF2F2892C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2BF2C0 0_2_00007FFF2F2BF2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28DAA0 0_2_00007FFF2F28DAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C82A0 0_2_00007FFF2F2C82A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CAAA0 0_2_00007FFF2F2CAAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28A310 0_2_00007FFF2F28A310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F290300 0_2_00007FFF2F290300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C7AF0 0_2_00007FFF2F2C7AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F29BAE0 0_2_00007FFF2F29BAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2882E0 0_2_00007FFF2F2882E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C2AE0 0_2_00007FFF2F2C2AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2C6950 0_2_00007FFF2F2C6950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F284140 0_2_00007FFF2F284140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F296130 0_2_00007FFF2F296130
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F299990 0_2_00007FFF2F299990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F262980 0_2_00007FFF2F262980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CB960 0_2_00007FFF2F2CB960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2921D0 0_2_00007FFF2F2921D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2869C0 0_2_00007FFF2F2869C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F27E9B0 0_2_00007FFF2F27E9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2811B0 0_2_00007FFF2F2811B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28E9A0 0_2_00007FFF2F28E9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2991F0 0_2_00007FFF2F2991F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2989F0 0_2_00007FFF2F2989F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28F1F0 0_2_00007FFF2F28F1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F285050 0_2_00007FFF2F285050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2B5840 0_2_00007FFF2F2B5840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F28C030 0_2_00007FFF2F28C030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F290020 0_2_00007FFF2F290020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F27D890 0_2_00007FFF2F27D890
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F29F870 0_2_00007FFF2F29F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2AF870 0_2_00007FFF2F2AF870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2618D0 0_2_00007FFF2F2618D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2708B0 0_2_00007FFF2F2708B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F27E110 0_2_00007FFF2F27E110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F283910 0_2_00007FFF2F283910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F26B100 0_2_00007FFF2F26B100
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637E20 18_2_00007FF6C4637E20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C462E5D4 18_2_00007FF6C462E5D4
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4623694 18_2_00007FF6C4623694
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4623E7C 18_2_00007FF6C4623E7C
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4638660 18_2_00007FF6C4638660
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464071C 18_2_00007FF6C464071C
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4648ED8 18_2_00007FF6C4648ED8
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464DF90 18_2_00007FF6C464DF90
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4635820 18_2_00007FF6C4635820
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464207C 18_2_00007FF6C464207C
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4638850 18_2_00007FF6C4638850
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46380D0 18_2_00007FF6C46380D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4623218 18_2_00007FF6C4623218
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4636A20 18_2_00007FF6C4636A20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46419FC 18_2_00007FF6C46419FC
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464A9EC 18_2_00007FF6C464A9EC
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4646AB0 18_2_00007FF6C4646AB0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4636330 18_2_00007FF6C4636330
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4638320 18_2_00007FF6C4638320
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637324 18_2_00007FF6C4637324
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637B70 18_2_00007FF6C4637B70
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4643BE0 18_2_00007FF6C4643BE0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464BC58 18_2_00007FF6C464BC58
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4645510 18_2_00007FF6C4645510
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2D97D0 18_2_00007FFF2F2D97D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F7650 18_2_00007FFF2F2F7650
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FD520 18_2_00007FFF2F2FD520
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2EDDC0 18_2_00007FFF2F2EDDC0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C5CD0 18_2_00007FFF2F2C5CD0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2DCA50 18_2_00007FFF2F2DCA50
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CAA70 18_2_00007FFF2F2CAA70
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2DA2C0 18_2_00007FFF2F2DA2C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CBAE0 18_2_00007FFF2F2CBAE0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E3150 18_2_00007FFF2F2E3150
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C59F0 18_2_00007FFF2F2C59F0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C5020 18_2_00007FFF2F2C5020
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B7880 18_2_00007FFF2F2B7880
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B2F50 18_2_00007FFF2F2B2F50
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30BF6F 18_2_00007FFF2F30BF6F
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30EF80 18_2_00007FFF2F30EF80
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F0F30 18_2_00007FFF2F2F0F30
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B872B 18_2_00007FFF2F2B872B
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F296790 18_2_00007FFF2F296790
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FC780 18_2_00007FFF2F2FC780
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2AE770 18_2_00007FFF2F2AE770
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F0770 18_2_00007FFF2F2F0770
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F5760 18_2_00007FFF2F2F5760
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2AA7D0 18_2_00007FFF2F2AA7D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A8FC0 18_2_00007FFF2F2A8FC0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BE7B0 18_2_00007FFF2F2BE7B0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30B7A0 18_2_00007FFF2F30B7A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F291010 18_2_00007FFF2F291010
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B4800 18_2_00007FFF2F2B4800
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F304FF0 18_2_00007FFF2F304FF0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B6FE0 18_2_00007FFF2F2B6FE0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E0650 18_2_00007FFF2F2E0650
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F29DE20 18_2_00007FFF2F29DE20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F291620 18_2_00007FFF2F291620
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F296E90 18_2_00007FFF2F296E90
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F297E80 18_2_00007FFF2F297E80
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A8670 18_2_00007FFF2F2A8670
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F7EC0 18_2_00007FFF2F2F7EC0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BF6B0 18_2_00007FFF2F2BF6B0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FA6B0 18_2_00007FFF2F2FA6B0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C06A0 18_2_00007FFF2F2C06A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BD550 18_2_00007FFF2F2BD550
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B3D50 18_2_00007FFF2F2B3D50
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C1D30 18_2_00007FFF2F2C1D30
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30C590 18_2_00007FFF2F30C590
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E8D20 18_2_00007FFF2F2E8D20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A9D70 18_2_00007FFF2F2A9D70
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C25C0 18_2_00007FFF2F2C25C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A95C0 18_2_00007FFF2F2A95C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F29C5A0 18_2_00007FFF2F29C5A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C2E10 18_2_00007FFF2F2C2E10
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B3610 18_2_00007FFF2F2B3610
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A65E0 18_2_00007FFF2F2A65E0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A5420 18_2_00007FFF2F2A5420
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F295C20 18_2_00007FFF2F295C20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE49D 18_2_00007FFF2F2FE49D
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE494 18_2_00007FFF2F2FE494
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FA490 18_2_00007FFF2F2FA490
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE48B 18_2_00007FFF2F2FE48B
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BAC80 18_2_00007FFF2F2BAC80
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A3CD0 18_2_00007FFF2F2A3CD0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE4B6 18_2_00007FFF2F2FE4B6
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE4AD 18_2_00007FFF2F2FE4AD
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE4A6 18_2_00007FFF2F2FE4A6
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F2CA0 18_2_00007FFF2F2F2CA0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C0D10 18_2_00007FFF2F2C0D10
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C3CF0 18_2_00007FFF2F2C3CF0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F295350 18_2_00007FFF2F295350
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F5B50 18_2_00007FFF2F2F5B50
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B3340 18_2_00007FFF2F2B3340
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A8340 18_2_00007FFF2F2A8340
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C1B30 18_2_00007FFF2F2C1B30
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F29BB20 18_2_00007FFF2F29BB20
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F4390 18_2_00007FFF2F2F4390
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C4360 18_2_00007FFF2F2C4360
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E4BC0 18_2_00007FFF2F2E4BC0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30FC00 18_2_00007FFF2F30FC00
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A7410 18_2_00007FFF2F2A7410
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F9410 18_2_00007FFF2F2F9410
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FE400 18_2_00007FFF2F2FE400
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2A23F0 18_2_00007FFF2F2A23F0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CB250 18_2_00007FFF2F2CB250
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F297A40 18_2_00007FFF2F297A40
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FB260 18_2_00007FFF2F2FB260
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B92C0 18_2_00007FFF2F2B92C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E22C0 18_2_00007FFF2F2E22C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2EF2C0 18_2_00007FFF2F2EF2C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BDAA0 18_2_00007FFF2F2BDAA0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F82A0 18_2_00007FFF2F2F82A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FAAA0 18_2_00007FFF2F2FAAA0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BA310 18_2_00007FFF2F2BA310
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C0300 18_2_00007FFF2F2C0300
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F7AF0 18_2_00007FFF2F2F7AF0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B82E0 18_2_00007FFF2F2B82E0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F2AE0 18_2_00007FFF2F2F2AE0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2F6950 18_2_00007FFF2F2F6950
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B4140 18_2_00007FFF2F2B4140
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C6130 18_2_00007FFF2F2C6130
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C9990 18_2_00007FFF2F2C9990
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F292980 18_2_00007FFF2F292980
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FB960 18_2_00007FFF2F2FB960
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C21D0 18_2_00007FFF2F2C21D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B69C0 18_2_00007FFF2F2B69C0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2AE9B0 18_2_00007FFF2F2AE9B0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B11B0 18_2_00007FFF2F2B11B0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BE9A0 18_2_00007FFF2F2BE9A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BF1F0 18_2_00007FFF2F2BF1F0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C91F0 18_2_00007FFF2F2C91F0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C89F0 18_2_00007FFF2F2C89F0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B5050 18_2_00007FFF2F2B5050
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2E5840 18_2_00007FFF2F2E5840
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2BC030 18_2_00007FFF2F2BC030
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C0020 18_2_00007FFF2F2C0020
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F310820 18_2_00007FFF2F310820
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2AD890 18_2_00007FFF2F2AD890
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2DF870 18_2_00007FFF2F2DF870
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669277A6C 21_2_00007FF669277A6C
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927E264 21_2_00007FF66927E264
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669273C70 21_2_00007FF669273C70
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669281CB0 21_2_00007FF669281CB0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669274890 21_2_00007FF669274890
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927F0E0 21_2_00007FF66927F0E0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669279104 21_2_00007FF669279104
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669277770 21_2_00007FF669277770
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927534C 21_2_00007FF66927534C
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF6692773E0 21_2_00007FF6692773E0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF6692727C4 21_2_00007FF6692727C4
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669278C24 21_2_00007FF669278C24
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E877650 21_2_00007FFF2E877650
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8597D0 21_2_00007FFF2E8597D0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E845CD0 21_2_00007FFF2E845CD0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E86DDC0 21_2_00007FFF2E86DDC0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87D520 21_2_00007FFF2E87D520
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E85A2C0 21_2_00007FFF2E85A2C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84BAE0 21_2_00007FFF2E84BAE0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E85CA50 21_2_00007FFF2E85CA50
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84AA70 21_2_00007FFF2E84AA70
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E845020 21_2_00007FFF2E845020
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E837880 21_2_00007FFF2E837880
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8459F0 21_2_00007FFF2E8459F0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E863150 21_2_00007FFF2E863150
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83F6B0 21_2_00007FFF2E83F6B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87A6B0 21_2_00007FFF2E87A6B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8406A0 21_2_00007FFF2E8406A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E877EC0 21_2_00007FFF2E877EC0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E81DE20 21_2_00007FFF2E81DE20
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E811620 21_2_00007FFF2E811620
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E860650 21_2_00007FFF2E860650
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E828670 21_2_00007FFF2E828670
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E816E90 21_2_00007FFF2E816E90
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E817E80 21_2_00007FFF2E817E80
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83E7B0 21_2_00007FFF2E83E7B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88B7A0 21_2_00007FFF2E88B7A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E82A7D0 21_2_00007FFF2E82A7D0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E828FC0 21_2_00007FFF2E828FC0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E884FF0 21_2_00007FFF2E884FF0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E836FE0 21_2_00007FFF2E836FE0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E811010 21_2_00007FFF2E811010
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E834800 21_2_00007FFF2E834800
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E870F30 21_2_00007FFF2E870F30
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83872B 21_2_00007FFF2E83872B
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E832F50 21_2_00007FFF2E832F50
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E82E770 21_2_00007FFF2E82E770
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E870770 21_2_00007FFF2E870770
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88BF6F 21_2_00007FFF2E88BF6F
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E875760 21_2_00007FFF2E875760
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E816790 21_2_00007FFF2E816790
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87C780 21_2_00007FFF2E87C780
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88EF80 21_2_00007FFF2E88EF80
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E4B6 21_2_00007FFF2E87E4B6
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E4A6 21_2_00007FFF2E87E4A6
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E872CA0 21_2_00007FFF2E872CA0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E4AD 21_2_00007FFF2E87E4AD
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E823CD0 21_2_00007FFF2E823CD0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E843CF0 21_2_00007FFF2E843CF0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E840D10 21_2_00007FFF2E840D10
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E825420 21_2_00007FFF2E825420
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E815C20 21_2_00007FFF2E815C20
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E494 21_2_00007FFF2E87E494
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87A490 21_2_00007FFF2E87A490
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E49D 21_2_00007FFF2E87E49D
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83AC80 21_2_00007FFF2E83AC80
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E48B 21_2_00007FFF2E87E48B
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E81C5A0 21_2_00007FFF2E81C5A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8425C0 21_2_00007FFF2E8425C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8295C0 21_2_00007FFF2E8295C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8265E0 21_2_00007FFF2E8265E0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E842E10 21_2_00007FFF2E842E10
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E833610 21_2_00007FFF2E833610
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E841D30 21_2_00007FFF2E841D30
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E868D20 21_2_00007FFF2E868D20
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83D550 21_2_00007FFF2E83D550
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E833D50 21_2_00007FFF2E833D50
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E829D70 21_2_00007FFF2E829D70
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88C590 21_2_00007FFF2E88C590
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83DAA0 21_2_00007FFF2E83DAA0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8782A0 21_2_00007FFF2E8782A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87AAA0 21_2_00007FFF2E87AAA0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8392C0 21_2_00007FFF2E8392C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8622C0 21_2_00007FFF2E8622C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E86F2C0 21_2_00007FFF2E86F2C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E877AF0 21_2_00007FFF2E877AF0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8382E0 21_2_00007FFF2E8382E0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E872AE0 21_2_00007FFF2E872AE0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83A310 21_2_00007FFF2E83A310
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E840300 21_2_00007FFF2E840300
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84B250 21_2_00007FFF2E84B250
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E817A40 21_2_00007FFF2E817A40
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87B260 21_2_00007FFF2E87B260
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E864BC0 21_2_00007FFF2E864BC0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8223F0 21_2_00007FFF2E8223F0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E827410 21_2_00007FFF2E827410
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E879410 21_2_00007FFF2E879410
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87E400 21_2_00007FFF2E87E400
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88FC00 21_2_00007FFF2E88FC00
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E841B30 21_2_00007FFF2E841B30
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E81BB20 21_2_00007FFF2E81BB20
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E815350 21_2_00007FFF2E815350
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E875B50 21_2_00007FFF2E875B50
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E833340 21_2_00007FFF2E833340
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E828340 21_2_00007FFF2E828340
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E844360 21_2_00007FFF2E844360
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E874390 21_2_00007FFF2E874390
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8208B0 21_2_00007FFF2E8208B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88C8B1 21_2_00007FFF2E88C8B1
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8118D0 21_2_00007FFF2E8118D0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88C0EB 21_2_00007FFF2E88C0EB
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E82E110 21_2_00007FFF2E82E110
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E833910 21_2_00007FFF2E833910
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E81B100 21_2_00007FFF2E81B100
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83C030 21_2_00007FFF2E83C030
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E840020 21_2_00007FFF2E840020
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E890820 21_2_00007FFF2E890820
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E835050 21_2_00007FFF2E835050
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E865840 21_2_00007FFF2E865840
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E85F870 21_2_00007FFF2E85F870
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84F870 21_2_00007FFF2E84F870
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E82D890 21_2_00007FFF2E82D890
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E82E9B0 21_2_00007FFF2E82E9B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8311B0 21_2_00007FFF2E8311B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83E9A0 21_2_00007FFF2E83E9A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8421D0 21_2_00007FFF2E8421D0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8369C0 21_2_00007FFF2E8369C0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E83F1F0 21_2_00007FFF2E83F1F0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8491F0 21_2_00007FFF2E8491F0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E8489F0 21_2_00007FFF2E8489F0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E846130 21_2_00007FFF2E846130
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E876950 21_2_00007FFF2E876950
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E834140 21_2_00007FFF2E834140
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87B960 21_2_00007FFF2E87B960
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E849990 21_2_00007FFF2E849990
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E812980 21_2_00007FFF2E812980
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B42A0 28_2_00007FF6896B42A0
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B1A80 28_2_00007FF6896B1A80
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896D2128 28_2_00007FF6896D2128
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B56F4 28_2_00007FF6896B56F4
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B62F4 28_2_00007FF6896B62F4
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B46C0 28_2_00007FF6896B46C0
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B31D0 28_2_00007FF6896B31D0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A11780 32_2_00007FF7C6A11780
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A3A908 32_2_00007FF7C6A3A908
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A0D87C 32_2_00007FF7C6A0D87C
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A38E00 32_2_00007FF7C6A38E00
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A02EA4 32_2_00007FF7C6A02EA4
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2E688 32_2_00007FF7C6A2E688
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A34CD0 32_2_00007FF7C6A34CD0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A1FCF0 32_2_00007FF7C6A1FCF0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2FC6C 32_2_00007FF7C6A2FC6C
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A3B1C0 32_2_00007FF7C6A3B1C0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2E12C 32_2_00007FF7C6A2E12C
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A31978 32_2_00007FF7C6A31978
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A37ACC 32_2_00007FF7C6A37ACC
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A39B14 32_2_00007FF7C6A39B14
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A38A40 32_2_00007FF7C6A38A40
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: String function: 00007FF6C463F3E0 appears 58 times
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: String function: 00007FF6C463F624 appears 163 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2A7770 NtClose, 0_2_00007FFF2F2A7770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2CD520 NtQuerySystemInformation,RtlAllocateHeap, 0_2_00007FFF2F2CD520
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464BC58 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileInformationByHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,memset,GetFullPathNameW,HeapAlloc,RtlFreeHeap,_wcsicmp,FindClose,GetProcessHeap,HeapFree,GetLastError,GetLastError,NtSetInformationFile,RtlNtStatusToDosError,CloseHandle,SetFileAttributesW,GetProcessHeap,HeapFree,GetLastError,GetLastError,GetProcessHeap,HeapFree,SetLastError, 18_2_00007FF6C464BC58
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2B5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 18_2_00007FFF2F2B5F40
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2D7770 NtClose, 18_2_00007FFF2F2D7770
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2FD520 NtQuerySystemInformation,RtlAllocateHeap, 18_2_00007FFF2F2FD520
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2C5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 18_2_00007FFF2F2C5CD0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 18_2_00007FFF2F2CC4D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 18_2_00007FFF2F2CAA70
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CBAE0 NtReadVirtualMemory, 18_2_00007FFF2F2CBAE0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF6692785A0 RtlInitUnicodeString,NtCreateFile,SetWaitableTimer,socket,CancelIo,CloseHandle,NtDeviceIoControlFile,closesocket,CancelIo,CloseHandle,SetWaitableTimer,NtDeviceIoControlFile, 21_2_00007FF6692785A0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669278994 NtDeviceIoControlFile,WaitForSingleObject,memset,MultiByteToWideChar,lstrlenW,Sleep,memset, 21_2_00007FF669278994
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669278900 PostMessageW,NtDeviceIoControlFile, 21_2_00007FF669278900
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF6692787B0 PostMessageW,NtDeviceIoControlFile,closesocket,CloseHandle,SetWaitableTimer, 21_2_00007FF6692787B0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E835F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 21_2_00007FFF2E835F40
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E857770 NtClose, 21_2_00007FFF2E857770
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E845CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 21_2_00007FFF2E845CD0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 21_2_00007FFF2E84C4D0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E87D520 NtQuerySystemInformation,RtlAllocateHeap, 21_2_00007FFF2E87D520
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84BAE0 NtReadVirtualMemory, 21_2_00007FFF2E84BAE0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E84AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 21_2_00007FFF2E84AA70
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A29590 GetWindowThreadProcessId,CloseHandle,OpenProcess,QueryFullProcessImageNameW,NtQueryInformationProcess,CloseHandle, 32_2_00007FF7C6A29590
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464A844: CreateFileW,GetProcessHeap,HeapAlloc,DeviceIoControl,GetLastError,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,GetLastError,SetLastError, 18_2_00007FF6C464A844
PE file contains executable resources (Code or Archives)
Source: irftp.exe.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: RdpSaUacHelper.exe.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: Dxpserver.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FXSCOVER.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mmc.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irftp.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slui.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mblctr.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe Section loaded: kernel34.dll
PE file contains more sections than normal
Source: WTSAPI32.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: mmcbase.DLL.6.dr Static PE information: Number of sections : 70 > 10
Source: MFPlat.DLL.6.dr Static PE information: Number of sections : 70 > 10
Source: ReAgent.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: VERSION.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: WTSAPI32.dll0.6.dr Static PE information: Number of sections : 70 > 10
Source: WINSTA.dll0.6.dr Static PE information: Number of sections : 70 > 10
Source: CJu1sWJfWk.dll Static PE information: Number of sections : 69 > 10
Source: WINSTA.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: WINMM.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: dwmapi.dll0.6.dr Static PE information: Number of sections : 70 > 10
Source: dwmapi.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: MFC42u.dll.6.dr Static PE information: Number of sections : 70 > 10
Source: CJu1sWJfWk.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFC42u.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mmcbase.DLL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ReAgent.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINMM.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WINSTA.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFPlat.DLL.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CJu1sWJfWk.dll Virustotal: Detection: 76%
Source: CJu1sWJfWk.dll Metadefender: Detection: 62%
Source: CJu1sWJfWk.dll ReversingLabs: Detection: 88%
Source: CJu1sWJfWk.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CJu1sWJfWk.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginBufferedAnimation
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginPanningFeedback
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ns1MY\slui.exe C:\Users\user\AppData\Local\ns1MY\slui.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mfpmp.exe C:\Windows\system32\mfpmp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iSZdEuUQU\mmc.exe C:\Users\user\AppData\Local\iSZdEuUQU\mmc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KN4et9\RdpSaUacHelper.exe C:\Users\user\AppData\Local\KN4et9\RdpSaUacHelper.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mblctr.exe C:\Windows\system32\mblctr.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CJu1sWJfWk.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginBufferedAnimation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginBufferedPaint Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginPanningFeedback Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\irftp.exe C:\Windows\system32\irftp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\slui.exe C:\Windows\system32\slui.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\ns1MY\slui.exe C:\Users\user\AppData\Local\ns1MY\slui.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mfpmp.exe C:\Windows\system32\mfpmp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\CJu1sWJfWk.dll,BeginPanningFeedback Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\rdpinit.exe C:\Windows\system32\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\iSZdEuUQU\mmc.exe C:\Users\user\AppData\Local\iSZdEuUQU\mmc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\RdpSaUacHelper.exe C:\Windows\system32\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\KN4et9\RdpSaUacHelper.exe C:\Users\user\AppData\Local\KN4et9\RdpSaUacHelper.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mblctr.exe C:\Windows\system32\mblctr.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C463F8C8 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle, 18_2_00007FF6C463F8C8
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637324 RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW, 18_2_00007FF6C4637324
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@56/25@0/0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4635820 CreateWaitableTimerW,GetLastError,SetWaitableTimer,GetLastError,CloseHandle,CreateThread,GetLastError,CreateThread,GetLastError,calloc,WaitForSingleObject,calloc,memmove_s,free,WaitForSingleObject,calloc,calloc,memmove_s,free,WaitForMultipleObjects,GetLastError,free,free,CloseHandle,CloseHandle,WaitForSingleObject,WaitForSingleObject,PostMessageW,CoCreateInstance,Sleep,CoCreateInstance,CreateEventW,ResetGetTelemetrySessionID,CLSIDFromString, 18_2_00007FF6C4635820
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4633E00 GetSystemPowerStatus,free,free,free,free,_wgetenv,GetDiskFreeSpaceExW,CloseHandle,PostMessageW, 18_2_00007FF6C4633E00
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4638320 memset,memset,memset,ResetGetDiskSpaceRequired,GetDiskFreeSpaceExW,GetLastError,?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,GetModuleHandleW,LoadStringW,_wgetenv,StrFormatByteSizeW,FormatMessageW,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z,?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ,?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 18_2_00007FF6C4638320
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2CCB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First, 18_2_00007FFF2F2CCB00
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1
Source: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe Mutant created: \Sessions\1\BaseNamedObjects\{a0a95ec2-128c-802a-acf3-d732786d8f66}
Source: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe Mutant created: \Sessions\1\BaseNamedObjects\{6e30b40e-d5e8-9f2f-55c5-05d9b4b52924}
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C463F15C FindResourceExW,LoadResource,LockResource,GetLastError,GetLastError,GetLastError, 18_2_00007FF6C463F15C
Source: rdpinit.exe String found in binary or memory: Re-Start RdpShell failed
Source: CJu1sWJfWk.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: CJu1sWJfWk.dll Static file information: File size 1417216 > 1048576
Source: CJu1sWJfWk.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: slui.pdb source: slui.exe, 0000001C.00000000.576973852.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp, slui.exe, 0000001C.00000002.602092427.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 00000024.00000000.719410189.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp, FXSCOVER.exe, 00000024.00000002.744580898.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: irftp.pdbGCTL source: irftp.exe, 00000015.00000002.571923555.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp, irftp.exe, 00000015.00000000.532927512.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001E.00000002.641878378.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp, mfpmp.exe, 0000001E.00000000.618202747.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: rdpinit.pdb source: rdpinit.exe, 00000020.00000000.647965981.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp, rdpinit.exe, 00000020.00000002.672090134.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: rdpinit.pdbGCTL source: rdpinit.exe, 00000020.00000000.647965981.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp, rdpinit.exe, 00000020.00000002.672090134.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001E.00000002.641878378.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp, mfpmp.exe, 0000001E.00000000.618202747.00007FF7FF637000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: systemreset.pdb source: systemreset.exe, 00000012.00000002.527294557.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp, systemreset.exe, 00000012.00000000.501974007.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 00000024.00000000.719410189.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp, FXSCOVER.exe, 00000024.00000002.744580898.00007FF71BF22000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 00000022.00000000.677391115.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp, Dxpserver.exe, 00000022.00000002.701873761.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: systemreset.pdbGCTL source: systemreset.exe, 00000012.00000002.527294557.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp, systemreset.exe, 00000012.00000000.501974007.00007FF6C4651000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: slui.pdbUGP source: slui.exe, 0000001C.00000000.576973852.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp, slui.exe, 0000001C.00000002.602092427.00007FF6896DC000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 00000022.00000000.677391115.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp, Dxpserver.exe, 00000022.00000002.701873761.00007FF73F041000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: irftp.pdb source: irftp.exe, 00000015.00000002.571923555.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp, irftp.exe, 00000015.00000000.532927512.00007FF669285000.00000002.00000001.01000000.0000000B.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F30D500 push rax; iretd 18_2_00007FFF2F30D501
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E88D500 push rax; iretd 21_2_00007FFF2E88D501
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A14162 push rcx; ret 32_2_00007FF7C6A14163
PE file contains sections with non-standard names
Source: CJu1sWJfWk.dll Static PE information: section name: .vxl
Source: CJu1sWJfWk.dll Static PE information: section name: .qwubgr
Source: CJu1sWJfWk.dll Static PE information: section name: .eer
Source: CJu1sWJfWk.dll Static PE information: section name: .xwwauf
Source: CJu1sWJfWk.dll Static PE information: section name: .pkc
Source: CJu1sWJfWk.dll Static PE information: section name: .npkda
Source: CJu1sWJfWk.dll Static PE information: section name: .vhs
Source: CJu1sWJfWk.dll Static PE information: section name: .iaywj
Source: CJu1sWJfWk.dll Static PE information: section name: .nasi
Source: CJu1sWJfWk.dll Static PE information: section name: .zhvprh
Source: CJu1sWJfWk.dll Static PE information: section name: .yatdsp
Source: CJu1sWJfWk.dll Static PE information: section name: .njso
Source: CJu1sWJfWk.dll Static PE information: section name: .lgliat
Source: CJu1sWJfWk.dll Static PE information: section name: .ntqjh
Source: CJu1sWJfWk.dll Static PE information: section name: .sucsek
Source: CJu1sWJfWk.dll Static PE information: section name: .qsxjui
Source: CJu1sWJfWk.dll Static PE information: section name: .twctcm
Source: CJu1sWJfWk.dll Static PE information: section name: .nms
Source: CJu1sWJfWk.dll Static PE information: section name: .ogj
Source: CJu1sWJfWk.dll Static PE information: section name: .vrkgb
Source: CJu1sWJfWk.dll Static PE information: section name: .gikfw
Source: CJu1sWJfWk.dll Static PE information: section name: .ktl
Source: CJu1sWJfWk.dll Static PE information: section name: .crcn
Source: CJu1sWJfWk.dll Static PE information: section name: .wtfr
Source: CJu1sWJfWk.dll Static PE information: section name: .hep
Source: CJu1sWJfWk.dll Static PE information: section name: .ywg
Source: CJu1sWJfWk.dll Static PE information: section name: .sqsp
Source: CJu1sWJfWk.dll Static PE information: section name: .gzb
Source: CJu1sWJfWk.dll Static PE information: section name: .fatlss
Source: CJu1sWJfWk.dll Static PE information: section name: .plqa
Source: CJu1sWJfWk.dll Static PE information: section name: .vzt
Source: CJu1sWJfWk.dll Static PE information: section name: .dsbyd
Source: CJu1sWJfWk.dll Static PE information: section name: .cdelc
Source: CJu1sWJfWk.dll Static PE information: section name: .qkhkj
Source: CJu1sWJfWk.dll Static PE information: section name: .mnzegr
Source: CJu1sWJfWk.dll Static PE information: section name: .krw
Source: CJu1sWJfWk.dll Static PE information: section name: .jvsmn
Source: CJu1sWJfWk.dll Static PE information: section name: .bygpq
Source: CJu1sWJfWk.dll Static PE information: section name: .kzdbu
Source: CJu1sWJfWk.dll Static PE information: section name: .mwxorn
Source: CJu1sWJfWk.dll Static PE information: section name: .raf
Source: CJu1sWJfWk.dll Static PE information: section name: .zcyw
Source: CJu1sWJfWk.dll Static PE information: section name: .zeczh
Source: CJu1sWJfWk.dll Static PE information: section name: .pvv
Source: CJu1sWJfWk.dll Static PE information: section name: .lug
Source: CJu1sWJfWk.dll Static PE information: section name: .ski
Source: CJu1sWJfWk.dll Static PE information: section name: .japjd
Source: CJu1sWJfWk.dll Static PE information: section name: .mwtzml
Source: CJu1sWJfWk.dll Static PE information: section name: .vgssf
Source: CJu1sWJfWk.dll Static PE information: section name: .gsroye
Source: CJu1sWJfWk.dll Static PE information: section name: .vcmr
Source: CJu1sWJfWk.dll Static PE information: section name: .kvjqnl
Source: CJu1sWJfWk.dll Static PE information: section name: .zlu
Source: CJu1sWJfWk.dll Static PE information: section name: .nrcvk
Source: CJu1sWJfWk.dll Static PE information: section name: .pfz
Source: CJu1sWJfWk.dll Static PE information: section name: .hxz
Source: CJu1sWJfWk.dll Static PE information: section name: .snjrs
Source: CJu1sWJfWk.dll Static PE information: section name: .bffts
Source: CJu1sWJfWk.dll Static PE information: section name: .gknvh
Source: CJu1sWJfWk.dll Static PE information: section name: .cuekj
Source: CJu1sWJfWk.dll Static PE information: section name: .eiz
Source: CJu1sWJfWk.dll Static PE information: section name: .kpdizv
Source: CJu1sWJfWk.dll Static PE information: section name: .els
Source: rdpinit.exe.6.dr Static PE information: section name: .imrsiv
Source: mmc.exe.6.dr Static PE information: section name: .didat
Source: systemreset.exe.6.dr Static PE information: section name: .imrsiv
Source: rdpinit.exe0.6.dr Static PE information: section name: .imrsiv
Source: mfpmp.exe.6.dr Static PE information: section name: .didat
Source: WINSTA.dll.6.dr Static PE information: section name: .vxl
Source: WINSTA.dll.6.dr Static PE information: section name: .qwubgr
Source: WINSTA.dll.6.dr Static PE information: section name: .eer
Source: WINSTA.dll.6.dr Static PE information: section name: .xwwauf
Source: WINSTA.dll.6.dr Static PE information: section name: .pkc
Source: WINSTA.dll.6.dr Static PE information: section name: .npkda
Source: WINSTA.dll.6.dr Static PE information: section name: .vhs
Source: WINSTA.dll.6.dr Static PE information: section name: .iaywj
Source: WINSTA.dll.6.dr Static PE information: section name: .nasi
Source: WINSTA.dll.6.dr Static PE information: section name: .zhvprh
Source: WINSTA.dll.6.dr Static PE information: section name: .yatdsp
Source: WINSTA.dll.6.dr Static PE information: section name: .njso
Source: WINSTA.dll.6.dr Static PE information: section name: .lgliat
Source: WINSTA.dll.6.dr Static PE information: section name: .ntqjh
Source: WINSTA.dll.6.dr Static PE information: section name: .sucsek
Source: WINSTA.dll.6.dr Static PE information: section name: .qsxjui
Source: WINSTA.dll.6.dr Static PE information: section name: .twctcm
Source: WINSTA.dll.6.dr Static PE information: section name: .nms
Source: WINSTA.dll.6.dr Static PE information: section name: .ogj
Source: WINSTA.dll.6.dr Static PE information: section name: .vrkgb
Source: WINSTA.dll.6.dr Static PE information: section name: .gikfw
Source: WINSTA.dll.6.dr Static PE information: section name: .ktl
Source: WINSTA.dll.6.dr Static PE information: section name: .crcn
Source: WINSTA.dll.6.dr Static PE information: section name: .wtfr
Source: WINSTA.dll.6.dr Static PE information: section name: .hep
Source: WINSTA.dll.6.dr Static PE information: section name: .ywg
Source: WINSTA.dll.6.dr Static PE information: section name: .sqsp
Source: WINSTA.dll.6.dr Static PE information: section name: .gzb
Source: WINSTA.dll.6.dr Static PE information: section name: .fatlss
Source: WINSTA.dll.6.dr Static PE information: section name: .plqa
Source: WINSTA.dll.6.dr Static PE information: section name: .vzt
Source: WINSTA.dll.6.dr Static PE information: section name: .dsbyd
Source: WINSTA.dll.6.dr Static PE information: section name: .cdelc
Source: WINSTA.dll.6.dr Static PE information: section name: .qkhkj
Source: WINSTA.dll.6.dr Static PE information: section name: .mnzegr
Source: WINSTA.dll.6.dr Static PE information: section name: .krw
Source: WINSTA.dll.6.dr Static PE information: section name: .jvsmn
Source: WINSTA.dll.6.dr Static PE information: section name: .bygpq
Source: WINSTA.dll.6.dr Static PE information: section name: .kzdbu
Source: WINSTA.dll.6.dr Static PE information: section name: .mwxorn
Source: WINSTA.dll.6.dr Static PE information: section name: .raf
Source: WINSTA.dll.6.dr Static PE information: section name: .zcyw
Source: WINSTA.dll.6.dr Static PE information: section name: .zeczh
Source: WINSTA.dll.6.dr Static PE information: section name: .pvv
Source: WINSTA.dll.6.dr Static PE information: section name: .lug
Source: WINSTA.dll.6.dr Static PE information: section name: .ski
Source: WINSTA.dll.6.dr Static PE information: section name: .japjd
Source: WINSTA.dll.6.dr Static PE information: section name: .mwtzml
Source: WINSTA.dll.6.dr Static PE information: section name: .vgssf
Source: WINSTA.dll.6.dr Static PE information: section name: .gsroye
Source: WINSTA.dll.6.dr Static PE information: section name: .vcmr
Source: WINSTA.dll.6.dr Static PE information: section name: .kvjqnl
Source: WINSTA.dll.6.dr Static PE information: section name: .zlu
Source: WINSTA.dll.6.dr Static PE information: section name: .nrcvk
Source: WINSTA.dll.6.dr Static PE information: section name: .pfz
Source: WINSTA.dll.6.dr Static PE information: section name: .hxz
Source: WINSTA.dll.6.dr Static PE information: section name: .snjrs
Source: WINSTA.dll.6.dr Static PE information: section name: .bffts
Source: WINSTA.dll.6.dr Static PE information: section name: .gknvh
Source: WINSTA.dll.6.dr Static PE information: section name: .cuekj
Source: WINSTA.dll.6.dr Static PE information: section name: .eiz
Source: WINSTA.dll.6.dr Static PE information: section name: .kpdizv
Source: WINSTA.dll.6.dr Static PE information: section name: .els
Source: WINSTA.dll.6.dr Static PE information: section name: .cjqpn
Source: dwmapi.dll.6.dr Static PE information: section name: .vxl
Source: dwmapi.dll.6.dr Static PE information: section name: .qwubgr
Source: dwmapi.dll.6.dr Static PE information: section name: .eer
Source: dwmapi.dll.6.dr Static PE information: section name: .xwwauf
Source: dwmapi.dll.6.dr Static PE information: section name: .pkc
Source: dwmapi.dll.6.dr Static PE information: section name: .npkda
Source: dwmapi.dll.6.dr Static PE information: section name: .vhs
Source: dwmapi.dll.6.dr Static PE information: section name: .iaywj
Source: dwmapi.dll.6.dr Static PE information: section name: .nasi
Source: dwmapi.dll.6.dr Static PE information: section name: .zhvprh
Source: dwmapi.dll.6.dr Static PE information: section name: .yatdsp
Source: dwmapi.dll.6.dr Static PE information: section name: .njso
Source: dwmapi.dll.6.dr Static PE information: section name: .lgliat
Source: dwmapi.dll.6.dr Static PE information: section name: .ntqjh
Source: dwmapi.dll.6.dr Static PE information: section name: .sucsek
Source: dwmapi.dll.6.dr Static PE information: section name: .qsxjui
Source: dwmapi.dll.6.dr Static PE information: section name: .twctcm
Source: dwmapi.dll.6.dr Static PE information: section name: .nms
Source: dwmapi.dll.6.dr Static PE information: section name: .ogj
Source: dwmapi.dll.6.dr Static PE information: section name: .vrkgb
Source: dwmapi.dll.6.dr Static PE information: section name: .gikfw
Source: dwmapi.dll.6.dr Static PE information: section name: .ktl
Source: dwmapi.dll.6.dr Static PE information: section name: .crcn
Source: dwmapi.dll.6.dr Static PE information: section name: .wtfr
Source: dwmapi.dll.6.dr Static PE information: section name: .hep
Source: dwmapi.dll.6.dr Static PE information: section name: .ywg
Source: dwmapi.dll.6.dr Static PE information: section name: .sqsp
Source: dwmapi.dll.6.dr Static PE information: section name: .gzb
Source: dwmapi.dll.6.dr Static PE information: section name: .fatlss
Source: dwmapi.dll.6.dr Static PE information: section name: .plqa
Source: dwmapi.dll.6.dr Static PE information: section name: .vzt
Source: dwmapi.dll.6.dr Static PE information: section name: .dsbyd
Source: dwmapi.dll.6.dr Static PE information: section name: .cdelc
Source: dwmapi.dll.6.dr Static PE information: section name: .qkhkj
Source: dwmapi.dll.6.dr Static PE information: section name: .mnzegr
Source: dwmapi.dll.6.dr Static PE information: section name: .krw
Source: dwmapi.dll.6.dr Static PE information: section name: .jvsmn
Source: dwmapi.dll.6.dr Static PE information: section name: .bygpq
Source: dwmapi.dll.6.dr Static PE information: section name: .kzdbu
Source: dwmapi.dll.6.dr Static PE information: section name: .mwxorn
Source: dwmapi.dll.6.dr Static PE information: section name: .raf
Source: dwmapi.dll.6.dr Static PE information: section name: .zcyw
Source: dwmapi.dll.6.dr Static PE information: section name: .zeczh
Source: dwmapi.dll.6.dr Static PE information: section name: .pvv
Source: dwmapi.dll.6.dr Static PE information: section name: .lug
Source: dwmapi.dll.6.dr Static PE information: section name: .ski
Source: dwmapi.dll.6.dr Static PE information: section name: .japjd
Source: dwmapi.dll.6.dr Static PE information: section name: .mwtzml
Source: dwmapi.dll.6.dr Static PE information: section name: .vgssf
Source: dwmapi.dll.6.dr Static PE information: section name: .gsroye
Source: dwmapi.dll.6.dr Static PE information: section name: .vcmr
Source: dwmapi.dll.6.dr Static PE information: section name: .kvjqnl
Source: dwmapi.dll.6.dr Static PE information: section name: .zlu
Source: dwmapi.dll.6.dr Static PE information: section name: .nrcvk
Source: dwmapi.dll.6.dr Static PE information: section name: .pfz
Source: dwmapi.dll.6.dr Static PE information: section name: .hxz
Source: dwmapi.dll.6.dr Static PE information: section name: .snjrs
Source: dwmapi.dll.6.dr Static PE information: section name: .bffts
Source: dwmapi.dll.6.dr Static PE information: section name: .gknvh
Source: dwmapi.dll.6.dr Static PE information: section name: .cuekj
Source: dwmapi.dll.6.dr Static PE information: section name: .eiz
Source: dwmapi.dll.6.dr Static PE information: section name: .kpdizv
Source: dwmapi.dll.6.dr Static PE information: section name: .els
Source: dwmapi.dll.6.dr Static PE information: section name: .xwkpd
Source: MFC42u.dll.6.dr Static PE information: section name: .vxl
Source: MFC42u.dll.6.dr Static PE information: section name: .qwubgr
Source: MFC42u.dll.6.dr Static PE information: section name: .eer
Source: MFC42u.dll.6.dr Static PE information: section name: .xwwauf
Source: MFC42u.dll.6.dr Static PE information: section name: .pkc
Source: MFC42u.dll.6.dr Static PE information: section name: .npkda
Source: MFC42u.dll.6.dr Static PE information: section name: .vhs
Source: MFC42u.dll.6.dr Static PE information: section name: .iaywj
Source: MFC42u.dll.6.dr Static PE information: section name: .nasi
Source: MFC42u.dll.6.dr Static PE information: section name: .zhvprh
Source: MFC42u.dll.6.dr Static PE information: section name: .yatdsp
Source: MFC42u.dll.6.dr Static PE information: section name: .njso
Source: MFC42u.dll.6.dr Static PE information: section name: .lgliat
Source: MFC42u.dll.6.dr Static PE information: section name: .ntqjh
Source: MFC42u.dll.6.dr Static PE information: section name: .sucsek
Source: MFC42u.dll.6.dr Static PE information: section name: .qsxjui
Source: MFC42u.dll.6.dr Static PE information: section name: .twctcm
Source: MFC42u.dll.6.dr Static PE information: section name: .nms
Source: MFC42u.dll.6.dr Static PE information: section name: .ogj
Source: MFC42u.dll.6.dr Static PE information: section name: .vrkgb
Source: MFC42u.dll.6.dr Static PE information: section name: .gikfw
Source: MFC42u.dll.6.dr Static PE information: section name: .ktl
Source: MFC42u.dll.6.dr Static PE information: section name: .crcn
Source: MFC42u.dll.6.dr Static PE information: section name: .wtfr
Source: MFC42u.dll.6.dr Static PE information: section name: .hep
Source: MFC42u.dll.6.dr Static PE information: section name: .ywg
Source: MFC42u.dll.6.dr Static PE information: section name: .sqsp
Source: MFC42u.dll.6.dr Static PE information: section name: .gzb
Source: MFC42u.dll.6.dr Static PE information: section name: .fatlss
Source: MFC42u.dll.6.dr Static PE information: section name: .plqa
Source: MFC42u.dll.6.dr Static PE information: section name: .vzt
Source: MFC42u.dll.6.dr Static PE information: section name: .dsbyd
Source: MFC42u.dll.6.dr Static PE information: section name: .cdelc
Source: MFC42u.dll.6.dr Static PE information: section name: .qkhkj
Source: MFC42u.dll.6.dr Static PE information: section name: .mnzegr
Source: MFC42u.dll.6.dr Static PE information: section name: .krw
Source: MFC42u.dll.6.dr Static PE information: section name: .jvsmn
Source: MFC42u.dll.6.dr Static PE information: section name: .bygpq
Source: MFC42u.dll.6.dr Static PE information: section name: .kzdbu
Source: MFC42u.dll.6.dr Static PE information: section name: .mwxorn
Source: MFC42u.dll.6.dr Static PE information: section name: .raf
Source: MFC42u.dll.6.dr Static PE information: section name: .zcyw
Source: MFC42u.dll.6.dr Static PE information: section name: .zeczh
Source: MFC42u.dll.6.dr Static PE information: section name: .pvv
Source: MFC42u.dll.6.dr Static PE information: section name: .lug
Source: MFC42u.dll.6.dr Static PE information: section name: .ski
Source: MFC42u.dll.6.dr Static PE information: section name: .japjd
Source: MFC42u.dll.6.dr Static PE information: section name: .mwtzml
Source: MFC42u.dll.6.dr Static PE information: section name: .vgssf
Source: MFC42u.dll.6.dr Static PE information: section name: .gsroye
Source: MFC42u.dll.6.dr Static PE information: section name: .vcmr
Source: MFC42u.dll.6.dr Static PE information: section name: .kvjqnl
Source: MFC42u.dll.6.dr Static PE information: section name: .zlu
Source: MFC42u.dll.6.dr Static PE information: section name: .nrcvk
Source: MFC42u.dll.6.dr Static PE information: section name: .pfz
Source: MFC42u.dll.6.dr Static PE information: section name: .hxz
Source: MFC42u.dll.6.dr Static PE information: section name: .snjrs
Source: MFC42u.dll.6.dr Static PE information: section name: .bffts
Source: MFC42u.dll.6.dr Static PE information: section name: .gknvh
Source: MFC42u.dll.6.dr Static PE information: section name: .cuekj
Source: MFC42u.dll.6.dr Static PE information: section name: .eiz
Source: MFC42u.dll.6.dr Static PE information: section name: .kpdizv
Source: MFC42u.dll.6.dr Static PE information: section name: .els
Source: MFC42u.dll.6.dr Static PE information: section name: .blmpn
Source: mmcbase.DLL.6.dr Static PE information: section name: .vxl
Source: mmcbase.DLL.6.dr Static PE information: section name: .qwubgr
Source: mmcbase.DLL.6.dr Static PE information: section name: .eer
Source: mmcbase.DLL.6.dr Static PE information: section name: .xwwauf
Source: mmcbase.DLL.6.dr Static PE information: section name: .pkc
Source: mmcbase.DLL.6.dr Static PE information: section name: .npkda
Source: mmcbase.DLL.6.dr Static PE information: section name: .vhs
Source: mmcbase.DLL.6.dr Static PE information: section name: .iaywj
Source: mmcbase.DLL.6.dr Static PE information: section name: .nasi
Source: mmcbase.DLL.6.dr Static PE information: section name: .zhvprh
Source: mmcbase.DLL.6.dr Static PE information: section name: .yatdsp
Source: mmcbase.DLL.6.dr Static PE information: section name: .njso
Source: mmcbase.DLL.6.dr Static PE information: section name: .lgliat
Source: mmcbase.DLL.6.dr Static PE information: section name: .ntqjh
Source: mmcbase.DLL.6.dr Static PE information: section name: .sucsek
Source: mmcbase.DLL.6.dr Static PE information: section name: .qsxjui
Source: mmcbase.DLL.6.dr Static PE information: section name: .twctcm
Source: mmcbase.DLL.6.dr Static PE information: section name: .nms
Source: mmcbase.DLL.6.dr Static PE information: section name: .ogj
Source: mmcbase.DLL.6.dr Static PE information: section name: .vrkgb
Source: mmcbase.DLL.6.dr Static PE information: section name: .gikfw
Source: mmcbase.DLL.6.dr Static PE information: section name: .ktl
Source: mmcbase.DLL.6.dr Static PE information: section name: .crcn
Source: mmcbase.DLL.6.dr Static PE information: section name: .wtfr
Source: mmcbase.DLL.6.dr Static PE information: section name: .hep
Source: mmcbase.DLL.6.dr Static PE information: section name: .ywg
Source: mmcbase.DLL.6.dr Static PE information: section name: .sqsp
Source: mmcbase.DLL.6.dr Static PE information: section name: .gzb
Source: mmcbase.DLL.6.dr Static PE information: section name: .fatlss
Source: mmcbase.DLL.6.dr Static PE information: section name: .plqa
Source: mmcbase.DLL.6.dr Static PE information: section name: .vzt
Source: mmcbase.DLL.6.dr Static PE information: section name: .dsbyd
Source: mmcbase.DLL.6.dr Static PE information: section name: .cdelc
Source: mmcbase.DLL.6.dr Static PE information: section name: .qkhkj
Source: mmcbase.DLL.6.dr Static PE information: section name: .mnzegr
Source: mmcbase.DLL.6.dr Static PE information: section name: .krw
Source: mmcbase.DLL.6.dr Static PE information: section name: .jvsmn
Source: mmcbase.DLL.6.dr Static PE information: section name: .bygpq
Source: mmcbase.DLL.6.dr Static PE information: section name: .kzdbu
Source: mmcbase.DLL.6.dr Static PE information: section name: .mwxorn
Source: mmcbase.DLL.6.dr Static PE information: section name: .raf
Source: mmcbase.DLL.6.dr Static PE information: section name: .zcyw
Source: mmcbase.DLL.6.dr Static PE information: section name: .zeczh
Source: mmcbase.DLL.6.dr Static PE information: section name: .pvv
Source: mmcbase.DLL.6.dr Static PE information: section name: .lug
Source: mmcbase.DLL.6.dr Static PE information: section name: .ski
Source: mmcbase.DLL.6.dr Static PE information: section name: .japjd
Source: mmcbase.DLL.6.dr Static PE information: section name: .mwtzml
Source: mmcbase.DLL.6.dr Static PE information: section name: .vgssf
Source: mmcbase.DLL.6.dr Static PE information: section name: .gsroye
Source: mmcbase.DLL.6.dr Static PE information: section name: .vcmr
Source: mmcbase.DLL.6.dr Static PE information: section name: .kvjqnl
Source: mmcbase.DLL.6.dr Static PE information: section name: .zlu
Source: mmcbase.DLL.6.dr Static PE information: section name: .nrcvk
Source: mmcbase.DLL.6.dr Static PE information: section name: .pfz
Source: mmcbase.DLL.6.dr Static PE information: section name: .hxz
Source: mmcbase.DLL.6.dr Static PE information: section name: .snjrs
Source: mmcbase.DLL.6.dr Static PE information: section name: .bffts
Source: mmcbase.DLL.6.dr Static PE information: section name: .gknvh
Source: mmcbase.DLL.6.dr Static PE information: section name: .cuekj
Source: mmcbase.DLL.6.dr Static PE information: section name: .eiz
Source: mmcbase.DLL.6.dr Static PE information: section name: .kpdizv
Source: mmcbase.DLL.6.dr Static PE information: section name: .els
Source: mmcbase.DLL.6.dr Static PE information: section name: .giogzh
Source: ReAgent.dll.6.dr Static PE information: section name: .vxl
Source: ReAgent.dll.6.dr Static PE information: section name: .qwubgr
Source: ReAgent.dll.6.dr Static PE information: section name: .eer
Source: ReAgent.dll.6.dr Static PE information: section name: .xwwauf
Source: ReAgent.dll.6.dr Static PE information: section name: .pkc
Source: ReAgent.dll.6.dr Static PE information: section name: .npkda
Source: ReAgent.dll.6.dr Static PE information: section name: .vhs
Source: ReAgent.dll.6.dr Static PE information: section name: .iaywj
Source: ReAgent.dll.6.dr Static PE information: section name: .nasi
Source: ReAgent.dll.6.dr Static PE information: section name: .zhvprh
Source: ReAgent.dll.6.dr Static PE information: section name: .yatdsp
Source: ReAgent.dll.6.dr Static PE information: section name: .njso
Source: ReAgent.dll.6.dr Static PE information: section name: .lgliat
Source: ReAgent.dll.6.dr Static PE information: section name: .ntqjh
Source: ReAgent.dll.6.dr Static PE information: section name: .sucsek
Source: ReAgent.dll.6.dr Static PE information: section name: .qsxjui
Source: ReAgent.dll.6.dr Static PE information: section name: .twctcm
Source: ReAgent.dll.6.dr Static PE information: section name: .nms
Source: ReAgent.dll.6.dr Static PE information: section name: .ogj
Source: ReAgent.dll.6.dr Static PE information: section name: .vrkgb
Source: ReAgent.dll.6.dr Static PE information: section name: .gikfw
Source: ReAgent.dll.6.dr Static PE information: section name: .ktl
Source: ReAgent.dll.6.dr Static PE information: section name: .crcn
Source: ReAgent.dll.6.dr Static PE information: section name: .wtfr
Source: ReAgent.dll.6.dr Static PE information: section name: .hep
Source: ReAgent.dll.6.dr Static PE information: section name: .ywg
Source: ReAgent.dll.6.dr Static PE information: section name: .sqsp
Source: ReAgent.dll.6.dr Static PE information: section name: .gzb
Source: ReAgent.dll.6.dr Static PE information: section name: .fatlss
Source: ReAgent.dll.6.dr Static PE information: section name: .plqa
Source: ReAgent.dll.6.dr Static PE information: section name: .vzt
Source: ReAgent.dll.6.dr Static PE information: section name: .dsbyd
Source: ReAgent.dll.6.dr Static PE information: section name: .cdelc
Source: ReAgent.dll.6.dr Static PE information: section name: .qkhkj
Source: ReAgent.dll.6.dr Static PE information: section name: .mnzegr
Source: ReAgent.dll.6.dr Static PE information: section name: .krw
Source: ReAgent.dll.6.dr Static PE information: section name: .jvsmn
Source: ReAgent.dll.6.dr Static PE information: section name: .bygpq
Source: ReAgent.dll.6.dr Static PE information: section name: .kzdbu
Source: ReAgent.dll.6.dr Static PE information: section name: .mwxorn
Source: ReAgent.dll.6.dr Static PE information: section name: .raf
Source: ReAgent.dll.6.dr Static PE information: section name: .zcyw
Source: ReAgent.dll.6.dr Static PE information: section name: .zeczh
Source: ReAgent.dll.6.dr Static PE information: section name: .pvv
Source: ReAgent.dll.6.dr Static PE information: section name: .lug
Source: ReAgent.dll.6.dr Static PE information: section name: .ski
Source: ReAgent.dll.6.dr Static PE information: section name: .japjd
Source: ReAgent.dll.6.dr Static PE information: section name: .mwtzml
Source: ReAgent.dll.6.dr Static PE information: section name: .vgssf
Source: ReAgent.dll.6.dr Static PE information: section name: .gsroye
Source: ReAgent.dll.6.dr Static PE information: section name: .vcmr
Source: ReAgent.dll.6.dr Static PE information: section name: .kvjqnl
Source: ReAgent.dll.6.dr Static PE information: section name: .zlu
Source: ReAgent.dll.6.dr Static PE information: section name: .nrcvk
Source: ReAgent.dll.6.dr Static PE information: section name: .pfz
Source: ReAgent.dll.6.dr Static PE information: section name: .hxz
Source: ReAgent.dll.6.dr Static PE information: section name: .snjrs
Source: ReAgent.dll.6.dr Static PE information: section name: .bffts
Source: ReAgent.dll.6.dr Static PE information: section name: .gknvh
Source: ReAgent.dll.6.dr Static PE information: section name: .cuekj
Source: ReAgent.dll.6.dr Static PE information: section name: .eiz
Source: ReAgent.dll.6.dr Static PE information: section name: .kpdizv
Source: ReAgent.dll.6.dr Static PE information: section name: .els
Source: ReAgent.dll.6.dr Static PE information: section name: .gieizi
Source: WINMM.dll.6.dr Static PE information: section name: .vxl
Source: WINMM.dll.6.dr Static PE information: section name: .qwubgr
Source: WINMM.dll.6.dr Static PE information: section name: .eer
Source: WINMM.dll.6.dr Static PE information: section name: .xwwauf
Source: WINMM.dll.6.dr Static PE information: section name: .pkc
Source: WINMM.dll.6.dr Static PE information: section name: .npkda
Source: WINMM.dll.6.dr Static PE information: section name: .vhs
Source: WINMM.dll.6.dr Static PE information: section name: .iaywj
Source: WINMM.dll.6.dr Static PE information: section name: .nasi
Source: WINMM.dll.6.dr Static PE information: section name: .zhvprh
Source: WINMM.dll.6.dr Static PE information: section name: .yatdsp
Source: WINMM.dll.6.dr Static PE information: section name: .njso
Source: WINMM.dll.6.dr Static PE information: section name: .lgliat
Source: WINMM.dll.6.dr Static PE information: section name: .ntqjh
Source: WINMM.dll.6.dr Static PE information: section name: .sucsek
Source: WINMM.dll.6.dr Static PE information: section name: .qsxjui
Source: WINMM.dll.6.dr Static PE information: section name: .twctcm
Source: WINMM.dll.6.dr Static PE information: section name: .nms
Source: WINMM.dll.6.dr Static PE information: section name: .ogj
Source: WINMM.dll.6.dr Static PE information: section name: .vrkgb
Source: WINMM.dll.6.dr Static PE information: section name: .gikfw
Source: WINMM.dll.6.dr Static PE information: section name: .ktl
Source: WINMM.dll.6.dr Static PE information: section name: .crcn
Source: WINMM.dll.6.dr Static PE information: section name: .wtfr
Source: WINMM.dll.6.dr Static PE information: section name: .hep
Source: WINMM.dll.6.dr Static PE information: section name: .ywg
Source: WINMM.dll.6.dr Static PE information: section name: .sqsp
Source: WINMM.dll.6.dr Static PE information: section name: .gzb
Source: WINMM.dll.6.dr Static PE information: section name: .fatlss
Source: WINMM.dll.6.dr Static PE information: section name: .plqa
Source: WINMM.dll.6.dr Static PE information: section name: .vzt
Source: WINMM.dll.6.dr Static PE information: section name: .dsbyd
Source: WINMM.dll.6.dr Static PE information: section name: .cdelc
Source: WINMM.dll.6.dr Static PE information: section name: .qkhkj
Source: WINMM.dll.6.dr Static PE information: section name: .mnzegr
Source: WINMM.dll.6.dr Static PE information: section name: .krw
Source: WINMM.dll.6.dr Static PE information: section name: .jvsmn
Source: WINMM.dll.6.dr Static PE information: section name: .bygpq
Source: WINMM.dll.6.dr Static PE information: section name: .kzdbu
Source: WINMM.dll.6.dr Static PE information: section name: .mwxorn
Source: WINMM.dll.6.dr Static PE information: section name: .raf
Source: WINMM.dll.6.dr Static PE information: section name: .zcyw
Source: WINMM.dll.6.dr Static PE information: section name: .zeczh
Source: WINMM.dll.6.dr Static PE information: section name: .pvv
Source: WINMM.dll.6.dr Static PE information: section name: .lug
Source: WINMM.dll.6.dr Static PE information: section name: .ski
Source: WINMM.dll.6.dr Static PE information: section name: .japjd
Source: WINMM.dll.6.dr Static PE information: section name: .mwtzml
Source: WINMM.dll.6.dr Static PE information: section name: .vgssf
Source: WINMM.dll.6.dr Static PE information: section name: .gsroye
Source: WINMM.dll.6.dr Static PE information: section name: .vcmr
Source: WINMM.dll.6.dr Static PE information: section name: .kvjqnl
Source: WINMM.dll.6.dr Static PE information: section name: .zlu
Source: WINMM.dll.6.dr Static PE information: section name: .nrcvk
Source: WINMM.dll.6.dr Static PE information: section name: .pfz
Source: WINMM.dll.6.dr Static PE information: section name: .hxz
Source: WINMM.dll.6.dr Static PE information: section name: .snjrs
Source: WINMM.dll.6.dr Static PE information: section name: .bffts
Source: WINMM.dll.6.dr Static PE information: section name: .gknvh
Source: WINMM.dll.6.dr Static PE information: section name: .cuekj
Source: WINMM.dll.6.dr Static PE information: section name: .eiz
Source: WINMM.dll.6.dr Static PE information: section name: .kpdizv
Source: WINMM.dll.6.dr Static PE information: section name: .els
Source: WINMM.dll.6.dr Static PE information: section name: .guxrp
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vxl
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qwubgr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .eer
Source: WTSAPI32.dll.6.dr Static PE information: section name: .xwwauf
Source: WTSAPI32.dll.6.dr Static PE information: section name: .pkc
Source: WTSAPI32.dll.6.dr Static PE information: section name: .npkda
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vhs
Source: WTSAPI32.dll.6.dr Static PE information: section name: .iaywj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .nasi
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zhvprh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .yatdsp
Source: WTSAPI32.dll.6.dr Static PE information: section name: .njso
Source: WTSAPI32.dll.6.dr Static PE information: section name: .lgliat
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ntqjh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .sucsek
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qsxjui
Source: WTSAPI32.dll.6.dr Static PE information: section name: .twctcm
Source: WTSAPI32.dll.6.dr Static PE information: section name: .nms
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ogj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vrkgb
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gikfw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ktl
Source: WTSAPI32.dll.6.dr Static PE information: section name: .crcn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .wtfr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .hep
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ywg
Source: WTSAPI32.dll.6.dr Static PE information: section name: .sqsp
Source: WTSAPI32.dll.6.dr Static PE information: section name: .gzb
Source: WTSAPI32.dll.6.dr Static PE information: section name: .fatlss
Source: WTSAPI32.dll.6.dr Static PE information: section name: .plqa
Source: WTSAPI32.dll.6.dr Static PE information: section name: .vzt
Source: WTSAPI32.dll.6.dr Static PE information: section name: .dsbyd
Source: WTSAPI32.dll.6.dr Static PE information: section name: .cdelc
Source: WTSAPI32.dll.6.dr Static PE information: section name: .qkhkj
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mnzegr
Source: WTSAPI32.dll.6.dr Static PE information: section name: .krw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .jvsmn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .bygpq
Source: WTSAPI32.dll.6.dr Static PE information: section name: .kzdbu
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mwxorn
Source: WTSAPI32.dll.6.dr Static PE information: section name: .raf
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zcyw
Source: WTSAPI32.dll.6.dr Static PE information: section name: .zeczh
Source: WTSAPI32.dll.6.dr Static PE information: section name: .pvv
Source: WTSAPI32.dll.6.dr Static PE information: section name: .lug
Source: WTSAPI32.dll.6.dr Static PE information: section name: .ski
Source: WTSAPI32.dll.6.dr Static PE information: section name: .japjd
Source: WTSAPI32.dll.6.dr Static PE information: section name: .mwtzml
Binary contains a suspicious time stamp
Source: rdpinit.exe.6.dr Static PE information: 0xC894E371 [Fri Aug 21 01:59:13 2076 UTC]
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\CJu1sWJfWk.dll
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\PVsO8HfRn\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KN4et9\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ns1MY\slui.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iSZdEuUQU\mmc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oNo29a9yW\MFPlat.DLL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xHBXOX9\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qMQ4Qr\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qpscHm\FXSCOVER.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qpscHm\MFC42u.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\KN4et9\RdpSaUacHelper.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YMJtPINjt\WINMM.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\PVsO8HfRn\Dxpserver.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oQi\unregmp2.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\qMQ4Qr\mblctr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\xHBXOX9\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\iSZdEuUQU\mmcbase.DLL Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\V3ju9LunR\WINSTA.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\oQi\VERSION.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4hM96ANL\ReAgent.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\ns1MY\WTSAPI32.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3488 Thread sleep count: 76 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\oQi\unregmp2.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\iSZdEuUQU\mmcbase.DLL Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4623E7C rdtsc 18_2_00007FF6C4623E7C
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe API coverage: 2.7 %
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe API coverage: 2.5 %
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe API coverage: 0.5 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2BDDC0 GetSystemInfo, 0_2_00007FFF2F2BDDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2BED10 FindFirstFileExW, 0_2_00007FFF2F2BED10
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464A9EC memset,SetLastError,SetLastError,HeapAlloc,GetLastError,FindFirstFileW,memset,memset,wcsrchr,SetLastError,CompareStringW,CompareStringW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,memset,FindNextFileW,GetLastError,GetLastError,GetLastError,FindClose,GetLastError,RtlFreeHeap,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SetLastError,SetLastError, 18_2_00007FF6C464A9EC
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464B1D0 FindFirstFileW,FindNextFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,GetLastError,SetLastError, 18_2_00007FF6C464B1D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46374A0 memset,FindFirstFileW,FindClose,PostMessageW, 18_2_00007FF6C46374A0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FFF2F2EED10 FindFirstFileExW, 18_2_00007FFF2F2EED10
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927B908 FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose, 21_2_00007FF66927B908
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927C018 FindFirstFileW,lstrcmpW,lstrcmpW,CreateFileW,GetFileSize,CloseHandle,FindNextFileW,FindClose, 21_2_00007FF66927C018
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FFF2E86ED10 FindFirstFileExW, 21_2_00007FFF2E86ED10
Source: explorer.exe, 00000006.00000000.381293794.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.381515971.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.381293794.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000006.00000000.381515971.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: explorer.exe, 00000006.00000000.381515971.000000000807C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.424905002.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: explorer.exe, 00000006.00000000.451054650.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4622420 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 18_2_00007FF6C4622420
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C463F624 _cwprintf_s_l,OutputDebugStringW,GetLastError,CurrentIP,WdsSetupLogMessageW, 18_2_00007FF6C463F624
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46445AC GetProcessHeap,HeapFree, 18_2_00007FF6C46445AC
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4623E7C rdtsc 18_2_00007FF6C4623E7C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2A97D0 LdrLoadDll,FindClose, 0_2_00007FFF2F2A97D0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464D790 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF6C464D790
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464DCC0 SetUnhandledExceptionFilter, 18_2_00007FF6C464DCC0
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669283840 SetUnhandledExceptionFilter, 21_2_00007FF669283840
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF669283498 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00007FF669283498
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896CD918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00007FF6896CD918
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Code function: 30_2_00007FF7FF632D14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 30_2_00007FF7FF632D14
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Code function: 30_2_00007FF7FF6329F0 SetUnhandledExceptionFilter, 30_2_00007FF7FF6329F0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2F1E0 SetUnhandledExceptionFilter, 32_2_00007FF7C6A2F1E0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A372B4 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 32_2_00007FF7C6A372B4
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2EA28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 32_2_00007FF7C6A2EA28

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: WINSTA.dll.6.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFF4253EFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFF4253E000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFF3FBF2A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\regsvr32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Code function: 30_2_00007FF7FF635730 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection, 30_2_00007FF7FF635730
Source: C:\Users\user\AppData\Local\oNo29a9yW\mfpmp.exe Code function: 30_2_00007FF7FF6354A0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection, 30_2_00007FF7FF6354A0
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\regsvr32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\CJu1sWJfWk.dll",#1 Jump to behavior
Source: explorer.exe, 00000006.00000000.422481713.000000000081C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.422944808.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.402974886.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.422944808.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.402974886.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.369317491.0000000000778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: rdpinit.exe, 00000020.00000000.647965981.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp, rdpinit.exe, 00000020.00000002.672090134.00007FF7C6A3E000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: Initialize failedDwmpGetColorizationParameters failedDwmpSetColorizationParametersCRdpTrayTaskbarCreatedShell_TrayWndRdptrayTSCreateAppbarTrayFN failedTSCreateShellNotifyTrayFN failedTSCreateTaskbarTrayFn failedTSCreateWindowCloakingTracker failedFailed g_RailOrderEncoder.InitializeFailed g_RailOrderEncoder.StartUpdating max icon size for the tray icon failed.m_spAppBarTrayFnm_spWindowCloakingTrackerRemoveWindow failedRemoveDestroyedWindows failed~/
Source: explorer.exe, 00000006.00000000.422944808.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.402974886.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.371210665.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.422944808.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.402974886.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.371210665.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C464DE50 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 18_2_00007FF6C464DE50
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A2E34B GetStartupInfoW,GetVersionExW,_FF_MSGBANNER,_FF_MSGBANNER,GetCommandLineA, 32_2_00007FF7C6A2E34B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFF2F2A9400 GetUserNameW, 0_2_00007FFF2F2A9400
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C463461C ?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?SetVisible@Element@DirectUI@@QEAAJ_N@Z,?SetLayoutPos@Element@DirectUI@@QEAAJH@Z,?SetID@Element@DirectUI@@QEAAJPEBG@Z, 18_2_00007FF6C463461C
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637660 ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 18_2_00007FF6C4637660
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4633720 ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 18_2_00007FF6C4633720
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4638F70 ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 18_2_00007FF6C4638F70
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4637920 ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,?Destroy@Element@DirectUI@@QEAAJ_N@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ, 18_2_00007FF6C4637920
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4649908 RpcBindingFree, 18_2_00007FF6C4649908
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C46360E0 wcscpy_s,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW, 18_2_00007FF6C46360E0
Source: C:\Users\user\AppData\Local\4hM96ANL\systemreset.exe Code function: 18_2_00007FF6C4634200 ?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z,?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z,?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ,?Destroy@Element@DirectUI@@QEAAJ_N@Z, 18_2_00007FF6C4634200
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927EE8C socket,WSAGetLastError,memset,setsockopt,WSAGetLastError,closesocket,setsockopt,memset,bind,listen,CreateIoCompletionPort, 21_2_00007FF66927EE8C
Source: C:\Users\user\AppData\Local\YMJtPINjt\irftp.exe Code function: 21_2_00007FF66927A078 WSAStartup,OpenFileMappingW,MapViewOfFile,CloseHandle,GetLastError,DbgPrint,lstrcmpA,WSASocketW,UnmapViewOfFile,WSAGetLastError,DbgPrint,socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,closesocket, 21_2_00007FF66927A078
Source: C:\Users\user\AppData\Local\ns1MY\slui.exe Code function: 28_2_00007FF6896B7390 CreateBindCtx,StringFromGUID2,CoTaskMemAlloc,~SyncLockT,memcpy,MkParseDisplayName,~SyncLockT, 28_2_00007FF6896B7390
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A21FE0 GetCurrentProcess,OpenProcessToken,GetLastError,RpcBindingToStringBindingW,RpcStringBindingParseW,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,RpcServerInqBindingHandle,RpcServerInqCallAttributesW,GetLastError,RpcImpersonateClient,GetCurrentThread,OpenThreadToken,GetLastError,GetTokenInformation,GetLastError,GetSidSubAuthority,GetSidSubAuthority,CloseHandle,CloseHandle,LocalFree,LocalFree,RpcRevertToSelf,RpcStringFreeW,RpcStringFreeW, 32_2_00007FF7C6A21FE0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A23FE0 RpcBindingFree,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExW,RpcBindingFree,RpcStringFreeW, 32_2_00007FF7C6A23FE0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A23F90 RpcBindingFree, 32_2_00007FF7C6A23F90
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A0D87C RegisterTraceGuidsW,HeapSetInformation,GetLastError,CreateMutexW,GetLastError,GetLastError,CreateMutexW,GetLastError,GetLastError,CoInitializeEx,GetModuleHandleW,SetProcessShutdownParameters,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetSystemMetrics,RpcMgmtWaitServerListen,WTSLogoffSession,CoUninitialize,UnregisterTraceGuids,CloseHandle, 32_2_00007FF7C6A0D87C
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A21DF0 RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen, 32_2_00007FF7C6A21DF0
Source: C:\Users\user\AppData\Local\V3ju9LunR\rdpinit.exe Code function: 32_2_00007FF7C6A23630 SetPropW,RpcBindingFree, 32_2_00007FF7C6A23630
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595319 Sample: CJu1sWJfWk Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 2 other processes 8->17 signatures5 54 Changes memory attributes in foreign processes to executable or writable 10->54 56 Uses Atom Bombing / ProGate to inject into other processes 10->56 58 Queues an APC in another process (thread injection) 10->58 19 explorer.exe 2 67 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\MFC42u.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\oQi\VERSION.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\...\mfpmp.exe, PE32+ 19->38 dropped 40 21 other files (7 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 25 mfpmp.exe 19->25         started        28 irftp.exe 19->28         started        30 slui.exe 19->30         started        32 11 other processes 19->32 signatures8 process9 signatures10 52 Contains functionality to prevent local Windows debugging 25->52
No contacted IP infos