Windows Analysis Report
7FErKDnzhp.exe

Overview

General Information

Sample name: 7FErKDnzhp.exe
renamed because original name is a hash value
Original sample name: F65D62DAC74CCD3AE5399C396167C579.exe
Analysis ID: 1436346
MD5: f65d62dac74ccd3ae5399c396167c579
SHA1: 4948d156914f054def900a77229e09a5fcc8976d
SHA256: 6d51f3afa3d465e86e4263f50ac0873a42813f94948406fff9bc3e6b7e081b3e
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 7FErKDnzhp.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\containercrt\Hyperblock.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\ShellNew\explorer.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\containercrt\focLwcgbbqM4pqsNJntFjNFiUvJ.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\dwm.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\Favorites\OfficeClickToRun.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\SystemSettings.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\containercrt\csrss.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Found malware configuration
Source: 0000001A.00000002.1842577492.0000000002B91000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"U\":\")\",\"i\":\"@\",\"w\":\"|\",\"6\":\"^\",\"M\":\"$\",\"d\":\"<\",\"H\":\"#\",\"O\":\";\",\"n\":\" \",\"R\":\"-\",\"9\":\"_\",\"h\":\"~\",\"3\":\"*\",\"0\":\"(\",\"A\":\",\",\"L\":\"%\",\"J\":\"`\",\"j\":\">\",\"B\":\"&\",\"I\":\"!\",\"4\":\".\"}", "PCRT": "{\"D\":\">\",\"=\":\"#\",\"6\":\",\",\"S\":\"$\",\"i\":\"_\",\"y\":\"-\",\"I\":\"&\",\"M\":\";\",\"l\":\"!\",\"j\":\"(\",\"p\":\"|\",\"w\":\")\",\"b\":\"^\",\"e\":\"~\",\"x\":\" \",\"Q\":\"<\",\"f\":\"*\",\"0\":\".\",\"c\":\"`\",\"X\":\"@\"}", "TAG": "", "MUTEX": "DCR_MUTEX-xitxj0beNMbzk6ZAb1J9", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0949002.xsph.ru/@=ITN0YzM4ETM", "H2": "http://a0949002.xsph.ru/@=ITN0YzM4ETM", "T": "0"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe Virustotal: Detection: 66% Perma Link
Source: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Virustotal: Detection: 66% Perma Link
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Virustotal: Detection: 66% Perma Link
Source: C:\Recovery\SystemSettings.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\SystemSettings.exe Virustotal: Detection: 66% Perma Link
Source: C:\Recovery\dcvkQEwWwyGFQ.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Virustotal: Detection: 66% Perma Link
Source: C:\Recovery\dwm.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\dwm.exe Virustotal: Detection: 66% Perma Link
Source: C:\Users\Default\Favorites\OfficeClickToRun.exe ReversingLabs: Detection: 87%
Source: C:\Users\Default\Favorites\OfficeClickToRun.exe Virustotal: Detection: 66% Perma Link
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe ReversingLabs: Detection: 87%
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Virustotal: Detection: 66% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dcvkQEwWwyGFQ.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dcvkQEwWwyGFQ.exe Virustotal: Detection: 66% Perma Link
Source: C:\Windows\ShellNew\explorer.exe ReversingLabs: Detection: 87%
Source: C:\Windows\ShellNew\explorer.exe Virustotal: Detection: 66% Perma Link
Source: C:\containercrt\Hyperblock.exe ReversingLabs: Detection: 87%
Source: C:\containercrt\Hyperblock.exe Virustotal: Detection: 66% Perma Link
Source: C:\containercrt\csrss.exe ReversingLabs: Detection: 87%
Source: C:\containercrt\csrss.exe Virustotal: Detection: 66% Perma Link
Source: C:\containercrt\dcvkQEwWwyGFQ.exe ReversingLabs: Detection: 87%
Source: C:\containercrt\dcvkQEwWwyGFQ.exe Virustotal: Detection: 66% Perma Link
Multi AV Scanner detection for submitted file
Source: 7FErKDnzhp.exe ReversingLabs: Detection: 73%
Source: 7FErKDnzhp.exe Virustotal: Detection: 58% Perma Link
Machine Learning detection for dropped file
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Joe Sandbox ML: detected
Source: C:\containercrt\Hyperblock.exe Joe Sandbox ML: detected
Source: C:\Windows\ShellNew\explorer.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe Joe Sandbox ML: detected
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Joe Sandbox ML: detected
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Joe Sandbox ML: detected
Source: C:\Recovery\dwm.exe Joe Sandbox ML: detected
Source: C:\Recovery\dcvkQEwWwyGFQ.exe Joe Sandbox ML: detected
Source: C:\Users\Default\Favorites\OfficeClickToRun.exe Joe Sandbox ML: detected
Source: C:\Recovery\SystemSettings.exe Joe Sandbox ML: detected
Source: C:\containercrt\csrss.exe Joe Sandbox ML: detected
Source: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7FErKDnzhp.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 7FErKDnzhp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\containercrt\Hyperblock.exe Directory created: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Jump to behavior
Source: C:\containercrt\Hyperblock.exe Directory created: C:\Program Files\Windows Multimedia Platform\1f93f77a7f4778 Jump to behavior
Source: 7FErKDnzhp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 7FErKDnzhp.exe
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_002AA5F4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_002BB8E0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://a0949002.xsph.ru/@=ITN0YzM4ETM
Source: Hyperblock.exe, 00000004.00000002.1718350634.0000000003334000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_002A718C
Creates files inside the system directory
Source: C:\containercrt\Hyperblock.exe File created: C:\Windows\ShellNew\explorer.exe Jump to behavior
Source: C:\containercrt\Hyperblock.exe File created: C:\Windows\ShellNew\7a0fd90576e088 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A857B 0_2_002A857B
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002CD00E 0_2_002CD00E
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A407E 0_2_002A407E
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B70BF 0_2_002B70BF
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002D1194 0_2_002D1194
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AE2A0 0_2_002AE2A0
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A3281 0_2_002A3281
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C02F6 0_2_002C02F6
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B6646 0_2_002B6646
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C473A 0_2_002C473A
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C070E 0_2_002C070E
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A27E8 0_2_002A27E8
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B37C1 0_2_002B37C1
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AE8A0 0_2_002AE8A0
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AF968 0_2_002AF968
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C4969 0_2_002C4969
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B3A3C 0_2_002B3A3C
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B6A7B 0_2_002B6A7B
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002CCB60 0_2_002CCB60
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C0B43 0_2_002C0B43
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B5C77 0_2_002B5C77
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AED14 0_2_002AED14
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B3D6D 0_2_002B3D6D
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BFDFA 0_2_002BFDFA
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002ABE13 0_2_002ABE13
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002ADE6C 0_2_002ADE6C
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A5F3C 0_2_002A5F3C
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C0F78 0_2_002C0F78
Source: C:\containercrt\Hyperblock.exe Code function: 4_2_00007FFD9BAAD548 4_2_00007FFD9BAAD548
Source: C:\containercrt\Hyperblock.exe Code function: 4_2_00007FFD9BAA2BD0 4_2_00007FFD9BAA2BD0
Source: C:\containercrt\Hyperblock.exe Code function: 4_2_00007FFD9BAA2AA0 4_2_00007FFD9BAA2AA0
Source: C:\containercrt\Hyperblock.exe Code function: 4_2_00007FFD9BAA2BD0 4_2_00007FFD9BAA2BD0
Source: C:\containercrt\Hyperblock.exe Code function: 4_2_00007FFD9BAA2BD0 4_2_00007FFD9BAA2BD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: String function: 002BED00 appears 31 times
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: String function: 002BE360 appears 52 times
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: String function: 002BE28C appears 35 times
PE file contains executable resources (Code or Archives)
Source: Hyperblock.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fontdrvhost.exe.4.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: explorer.exe.4.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: 7FErKDnzhp.exe, 00000000.00000003.1602763603.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 7FErKDnzhp.exe
Source: 7FErKDnzhp.exe, 00000000.00000003.1601518851.0000000004EA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 7FErKDnzhp.exe
Source: 7FErKDnzhp.exe, 00000000.00000003.1602359917.0000000004FB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 7FErKDnzhp.exe
Source: 7FErKDnzhp.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 7FErKDnzhp.exe
Uses 32bit PE files
Source: 7FErKDnzhp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, K6N7lOGlonRUf9sqLPL.cs Cryptographic APIs: 'TransformBlock'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, K6N7lOGlonRUf9sqLPL.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, K6N7lOGlonRUf9sqLPL.cs Cryptographic APIs: 'TransformBlock'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, K6N7lOGlonRUf9sqLPL.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MbJh8YA6sPvZCanPP1V.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MbJh8YA6sPvZCanPP1V.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MbJh8YA6sPvZCanPP1V.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MbJh8YA6sPvZCanPP1V.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@41/29@0/0
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002A6EC9 GetLastError,FormatMessageW, 0_2_002A6EC9
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002B9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_002B9E1C
Source: C:\containercrt\Hyperblock.exe File created: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Jump to behavior
Source: C:\containercrt\Hyperblock.exe File created: C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Mutant created: NULL
Source: C:\containercrt\Hyperblock.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\f3e2ac47aa58655b3bc0650436f59ea3198d2061
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\containercrt\jVeL3.bat" "
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Command line argument: sfxname 0_2_002BD5D4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Command line argument: sfxstime 0_2_002BD5D4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Command line argument: STARTDLG 0_2_002BD5D4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Command line argument: xj/ 0_2_002BD5D4
Source: 7FErKDnzhp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 7FErKDnzhp.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\7FErKDnzhp.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7FErKDnzhp.exe ReversingLabs: Detection: 73%
Source: 7FErKDnzhp.exe Virustotal: Detection: 58%
Source: C:\Users\user\Desktop\7FErKDnzhp.exe File read: C:\Users\user\Desktop\7FErKDnzhp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7FErKDnzhp.exe "C:\Users\user\Desktop\7FErKDnzhp.exe"
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\containercrt\focLwcgbbqM4pqsNJntFjNFiUvJ.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\containercrt\jVeL3.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\containercrt\Hyperblock.exe "C:\containercrt\Hyperblock.exe"
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 8 /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQ" /sc ONLOGON /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 14 /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 12 /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQ" /sc ONLOGON /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 9 /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Links\dcvkQEwWwyGFQ.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQ" /sc ONLOGON /tr "'C:\Users\Default User\Links\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Links\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\dwm.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\dwm.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe "C:\Users\Default User\Links\dcvkQEwWwyGFQ.exe"
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Favorites\OfficeClickToRun.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe "C:\Users\Default User\Links\dcvkQEwWwyGFQ.exe"
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Favorites\OfficeClickToRun.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 5 /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQ" /sc ONLOGON /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 14 /tr "'C:\Recovery\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 9 /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQ" /sc ONLOGON /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dcvkQEwWwyGFQd" /sc MINUTE /mo 5 /tr "'C:\containercrt\dcvkQEwWwyGFQ.exe'" /rl HIGHEST /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\containercrt\csrss.exe'" /f
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containercrt\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\containercrt\focLwcgbbqM4pqsNJntFjNFiUvJ.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\containercrt\jVeL3.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\containercrt\Hyperblock.exe "C:\containercrt\Hyperblock.exe" Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: version.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: wldp.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: profapi.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: amsi.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: userenv.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: propsys.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: edputil.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: netutils.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: slc.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: sppc.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\containercrt\Hyperblock.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\containercrt\Hyperblock.exe Directory created: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Jump to behavior
Source: C:\containercrt\Hyperblock.exe Directory created: C:\Program Files\Windows Multimedia Platform\1f93f77a7f4778 Jump to behavior
Source: 7FErKDnzhp.exe Static file information: File size 1165923 > 1048576
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 7FErKDnzhp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 7FErKDnzhp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 7FErKDnzhp.exe
Source: 7FErKDnzhp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7FErKDnzhp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7FErKDnzhp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7FErKDnzhp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7FErKDnzhp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ System.AppDomain.Load(byte[])
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ System.Reflection.Assembly.Load(byte[])
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ System.AppDomain.Load(byte[])
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ System.Reflection.Assembly.Load(byte[])
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ibywOO5pCgSTCqvvdSx.cs .Net Code: faFAoA2vBZ
File is packed with WinRar
Source: C:\Users\user\Desktop\7FErKDnzhp.exe File created: C:\containercrt\__tmp_rar_sfx_access_check_3772421 Jump to behavior
PE file contains sections with non-standard names
Source: 7FErKDnzhp.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BE28C push eax; ret 0_2_002BE2AA
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BCAC7 push eax; retf 002Bh 0_2_002BCACE
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BED46 push ecx; ret 0_2_002BED59
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, K6N7lOGlonRUf9sqLPL.cs High entropy of concatenated method names: 'lrXOL6mPhM', 'yIaOe3UZvD', 'yL7OZQydnP', 'cqSOh6Y12w', 'qpSOM65QGZ', 'B95OtoYGnd', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, yJG7Iy5D5joNDkLmU7U.cs High entropy of concatenated method names: 'K4waxl107s', 'PVlaoIk0DH', 'mfmQZM8w2vbSYdB34Ye', 'J89Avb8guxQvDAEehLc', 'JlCuck86mcyYse9Rxey', 'rxD4Fa8kNef2hQDGFaC', 'h3CLaE87TuRvuoi2v7q', 'lTxFCh8CJ9kk3IKnwIa', 'c4mgOY8DVO5v6ZGb18K', 'tcV87w8He3xEAWstmAL'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, qbp5BXIMEjKJGPJqsJ.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'Qe05gedEPDU62BWnELD', 'jIKLDWdts7HesrBjQMl', 'XSqY0udAkjYcV988fEw', 'wv1aEldpESBC30D69DH', 'R0Pt2SdbbKf7k9oQRvo', 'uAwY8Bd8qAgFk3AYart'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Nl3NWdHqxke2CTFRp8.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'iyiaJGIq5QsY2pG6daN', 'nnDaMRIWUcdKlCbcApY', 'HV06HGIj5cdWxbuPBjI', 'QyFIW6IceDGKdNJtAtK', 'cOngtbIzdXfLkUi4Xau', 'OQZodGnsbALt6EBapyU'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, xcsaHgAa3Cp5p0EbQC4.cs High entropy of concatenated method names: 'SjGk74Dvqd', 'kcfkfK42NF', 'jSakbWF2Uy', 'WENkLQt6F1', 'U9vkenXC6J', 'DlkkZQsaK0', 'bE9lNU1HPFIAwQJvPlR', 'WqNmZD1CpbREUT3flhc', 'oDZjtp1DeBNbDpQDulm', 'Pwo9gQ1UG8AiMIIhl5i'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, NDcl0jq9iwNQkYsChfK.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UH9rbFrCPmlK17mRlGv', 'cLnQOCrD6utQJvxyEL1', 'NuCOqYrHF3eJ1uIkY9K', 'WVqoUQrU11hScDiZAW2', 'wabKjtrMuS65ZeQENBe', 'PP1h8qroxbj64nV3dNy'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, OcHMtnAhRuYZVpWl5v4.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'srcYK4e228', '_168', 'nGREhGkgkBavm6A3Ir4', 'OqCwbxk7OiD7UEhgZD7', 'xWWf06kCJAGXbRK39o2', 'cU0k8YkDwgC9RskW8Gh', 'xZqsKpkHMjt5Qsx4oDs'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, qEq3qkqvo2HeVi6n5V1.cs High entropy of concatenated method names: 'bjMqLKTP2i', 'Ih0VFJRdY4fEsoGsyEn', 'Csu8E1RIXZvZCi7yFPL', 'rSUvtLRsliewtswWppF', 'wWWWdaRyA0QGP6gnnEn', 'DPwJdtRnGCQC54nEwcy', 'k8MqViRPOFVTs2HYTYR', 'gUlC4DRVBBRAljVZNps', 'NSpqZDkK5u', 'ccvRFHRFvYyYJB62fNP'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, sE1LpraW84DG9nJlj5y.cs High entropy of concatenated method names: 'BOQVwn9Cil', 'CIBrVvgvD2ANDQ2jCen', 'kLYLU4g18yDtIV3gxUJ', 'rb9PNCgfSeowVsWffZU', 'F7DSAGgSNhN6HTbB0J9', 'yZYBv5Uedr', 'rXABJkfFUU', 'rQsB3jo6XO', 'goSBnXGE0F', 'fseB17mW95'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, bWZkvgWvRmHnjWxJSHw.cs High entropy of concatenated method names: 'KBkYZe9HYY', 'kfPYhxcRNT', 'jHQYMZbSsu', 'L632KLTBYpkPfVtFdsA', 'YsqpSDT97el8ML4XLOJ', 'CB63TaT0PawOUJ1nj18', 'LX6Q4oTOjRpQbrOKYnL', 'q9TuVWTxYJEAwYQhxUG', 'WaSw1hT3IdMxdK18AxV', 'mmVPiGTKQo1chcZT7ZU'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, pwP89vhPReMv8N84dW.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'wQMCe7PVK1prPSNGvas', 'S5edswPrq41mHhNpMum', 'KJTnErP4oBvQTPNwZc6', 'yftIxyPF16HwEuBqnbq', 'VRRQgOPRnA5bOPkQaI7', 'hXOh04PEHILONhVgI8r'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, tVcTFNWyYtFrDUsuD63.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'lwcOFqPCjt', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MbJh8YA6sPvZCanPP1V.cs High entropy of concatenated method names: 'PSSp0hoyNs', 'SiJp8rqu20', 'Y80pwHViIV', 'VZeSY7l3whIZZn0CSFC', 'KPNdoQlOm4aXMAbFfVW', 'tNHO5BlxAUgEwPwAIs0', 'EWlqgxlKDPgExaRK8f0', 'HZwpGqtkOx', 'iV8pkNXHxW', 'jSZpCeRXfw'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, qNEAO6AEB5WeuoJt99g.cs High entropy of concatenated method names: 'no3C4fkalb', 'JIYCsksQtf', 'MFiCQ9GJ5S', 'McKCNAEYkQ', 'EY2CyhWVoW', 'mWCTgllV4P067p1k3nH', 'hcOjg9lrXZyeYHeYhBb', 'y7Jm7dlnoGF41bEYZvU', 'TAjZy4lPlYfRr7n8e65', 'RXL988l4csWsmS2BYdF'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, gcNRvO51YhNxKC4b2ro.cs High entropy of concatenated method names: 'bCcWmNRvOY', 'geiwllfjRWw0QDl1JZC', 'sMiiOUfca5Sae1Hl2cZ', 'cY2ydufqVliIEP1DsgQ', 'uGqxsafWqMS2M4w1Sr3', 'samWncfzccOratWSbuR', 'hGXTYBSsMrLHaTwoQVV', 'NQ9cvLSy5gcGITj9RsX', 'nHZk4gSdRnEXolmCg08', 'eSqgauSIUj2D1COsxQI'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, iJxBkLqRuNNwNBCDWSA.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'TFhvg5F54DwdWbboJ41', 'FXifNVFTBOXW3av580i', 'CJFhCJF9PXPZGLbvViH', 'mTq0NbF076OwfrQaMZ1', 'MJcA2JFB649yVl5VL13', 'rNmBySFOUeD5AaaQUel'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, tLMu3qA96l5jctRssxN.cs High entropy of concatenated method names: '_223', 'vtdjNdiSpg9doPD0eEW', 'gaDNEdivAfCC8IPq83K', 'o5GNfgi1tfFsUwvaYky', 'v06VgHiGSmEaP9BSBbk', 'xPy2gtiiqomdxIqHhbj', 'f1Cmtjil824Tfj2cDIf', 'lXUgfLi66QcdmthNLRT', 'isnVGcikeuvZ18MtMPP', 'Vo9fA1iwB5xsClo8KvI'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, IUHK71njYvqR4WsN1b.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'Xl4fg6kOi', 'dJe7IwdakgXCUjp0eAc', 'zifmE5d5Bf4LVdfMD3i', 'r8mxi2dTVOEtRfnKWCF', 'QA4jGad9pQeolDNDVJj', 'AxZqjed0N8sZ1rTGsbd'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Lh87GoAYtrQ8gOMLJ90.cs High entropy of concatenated method names: 'OgJp3jRVud', 'lUFpno535o', 'HuD4dE6vI9ifCc3mWKk', 'P6cDdP61tpOoNpqqBIV', 'BRoGbS6fDWe94cXM1Ai', 'CLJHav6STXS70Xv61Lf', 'GkjQT56GyhFS32vTjhS', 'jxw9bF6iAaISoBt4Msf'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, RroGc1uOcpTPtbcYU8.cs High entropy of concatenated method names: 'nQ812e9VY', 'mpBS7MpGT', 'eEWcyIThk', 'o6glphy91LcLka5VIvd', 'UXgU7wy53ab8F9CFL1E', 'wtikW9yTCdfHfd0OWOp', 'OPodfMy03CdvnZpnKEM', 'smHUaeyBjxsqmbqiguy', 'vr8k5VyOcxZD8h1TmEZ', 'zZNDlByxrKMpMVPPekn'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, rGoH2ZATyybnEsxbi5k.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'qg8lXi6p9cEXMZjWxJr', 'TFNiqq6bTHCIsqGtmU9', 'z7YBnR68hdbOwQxXXew', 'WBfNaS6NpSreW4ygrcW'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, egAXU7qKkvhxM1xkyqi.cs High entropy of concatenated method names: 'hGM5qGRa8j', 'SYh55Z0eUN', 'LyI5AqTNvl', 'c9DxidRJrW7ia39S7qI', 'msnxPuRLQGf7kF7VDgW', 'nlRqCKRu2Lv423xsIIb', 'ghpHtpRXVHAgi63GkW3', 'U44MyuRmP17wIkZbw3L', 'OH7YxfRQkbBt3MXbyni', 'xhWtLeRqZYe5hiPW55I'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, C6wZXIaYmLxgFOkdkEv.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'KUyxlNelit', '_3il', 'caoxqQboi4', 'WxZx5QFQH3', '_78N', 'z3K'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, fmO220qNo1WicDQtBFq.cs High entropy of concatenated method names: 'o6X56IrJk8', 'VEn5uLtV1vGreRT99dk', 'FXD7Y7trT8qNwaUcgaP', 'LKpmEHtnmtTevGiCmIN', 'bZo4pZtPX9lbjsGCXxR', 'sVvRS9t4agJU6qj1wJb', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ibywOO5pCgSTCqvvdSx.cs High entropy of concatenated method names: 's3AA3Y2MET', 'LrnAnoA5j0', 'kWgA1AXU7k', 'DhxASM1xky', 'aiKAcomYhM', 'lu1Ag1viNG', 'dQ2ArlhaD0', 'zFk5cJpwlBhXKKarSOl', 'pGitAnp6GcA8ikCjx9Y', 'XK2mf1pk1AvDkqwD9G4'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, aZ78nfqOgHmAcdJ60Cl.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'ADZMsg4Za6GxaquO3qn', 'AKGFOi42SBCtKYTWM7t', 'ySBd9I4ubkNH1dew81M', 'Qp78l54XOgHQk20A6AI', 'bdTNo94Jb7CjWpVKET6', 'jwWIxj4Lfqw9Ly3Z143'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, reNWGa5oWkveOlIBw6L.cs High entropy of concatenated method names: 'ApOANwtHvx', 'cOaMYvbIiYkMI4AZO7u', 'EmHDGBbn73f1UwsXutJ', 'zQouYcby33WHt04JeXh', 't7hBPcbd1lQSytmR2di', 'FJmGPdbPZwX4hfdwUjc', 'l4M8ajbVpP77F2p6Qcq', 'cqj7aAbr4yfLjq2Vaj8', 'a04vYYb4qj2u5sFU4yk', 'KLnYmXbFOWcwOCbmPhw'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, WsMiJraiqu20X80HViI.cs High entropy of concatenated method names: 'RIw9nXp5tV', 'n2091rdh9N', 'OZ89SU73Vx', 'bnN9cYqW7O', 'SR99gFKSpx', 'sDDIo97arkJDgMEXDU8', 'JFZWD475CMJHwI3GfZm', 'fZc5Cg7YZajvtNxPyn7', 'fEg1ug7hr7sP8W0vwaM', 'n11xxu7TQEPDh3tqDto'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, tU8kI2qhkEZnru0QhvV.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'OgSaShEiSQjISbgP7HJ', 'PV0qSuElJEnPEltuLJf', 'umTBP1E6AolvLli9Dtp', 'qpxw43Ek9ilQDCKO7sf', 'VviscJEwxqEhyQvU36Q', 'Qf2HG9EgVZNNsh7m3fx'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, D0BsuTq2ZtfpZcyuUAJ.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'CQMw1w4cZL7xEQfnl0k', 'pxAHMY4zjdg3JPQTdQv', 'koM2MPFseJNeZX07MkO', 'SqtCBDFymg6lFRLWIcp', 'wnBMdxFdRMiZY9EtwrI', 'RyPUleFI7FkQeE85igQ'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, XW1OEJd1DPxdMyw9n9.cs High entropy of concatenated method names: 'Fs2YmHSbf', 'XNmOdZUBI', 'yXYudlHO8', 'sKO2FQZFG', 'QEuIKTNl1', 'DsPRsjZVg', 'GCnmxdZxU', 'BKubOMy4wnWM9UHfBg8', 'S3Sc6ayF6yowf3yVrFg', 'yHQ64XyRjgOG7NMkk6m'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, oj5GGxgArlEDggQT90.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'kmiO9DI5wqG2jeGy5dn', 'n9qbeoITwD7bq0cSBaL', 'UrjDgDI9pwDhIiEZY44', 'pI5cgdI00TsulhkTF8i', 'WEboxDIBU3gLc7M5q1K', 'BpMIRtIO3WyoHhUISAF'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, PVXmxSasIb62aO5uKEO.cs High entropy of concatenated method names: 'IxioUJOQOC', 'ULIo1I1N2I', 'JDEoSTGE1S', 'j5WocKfGSa', 'LfvogGBQEY', 'AiCorkibWk', 'c16oHCIwCG', 'VfvoKupDdE', 'tPko7T6OZE', 'WXEofJremy'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, D41wTOajhpfGEGj2EpR.cs High entropy of concatenated method names: '_7zt', 'M2P96uAKCB', 'jlj9DHIj6w', 'OOb9i3FVdL', 'KSk9TP8hGI', 'bh89dfQCl9', 'hui9FgBuis', 'hRdTfw76TYwEoio7oxd', 'WfCCSf7kshBrAGdt2fy', 'tCCwR47i41KoWSTo3FV'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MIBgZtW4IjygD68hG9L.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KITEXiABkR2Ko0LjRCB.cs High entropy of concatenated method names: 'xogCnpCLjd', 'Tf2C1a8m12', 'xO1CSJO2am', 'VU4UgKibuwQAC8x5WRE', 'zGdDExiAqT088FD16R4', 'euNMYyipULNh9oKY9tu', 'YsfpUTi87Uhm3aYiXpj', 'KlZC0gkt7Z', 'FfcC8YE2pO', 'oqdCwFAU7d'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, pqxxEgAo31CLdf4pIph.cs High entropy of concatenated method names: 'uHOCfVixLu', 'ykoCbxsLOW', 'PuRCLYYwps', 'YVOCevHbei', 'EYEoMcih5IVU0V7U4ZB', 'gg0CEWiaEliN1TSwqyp', 'swBQcYi5JmFWdavYMCN', 'p5kq5vioIRVK32MG9Bf', 'bhRJJkiYLVVlo4yoG3w', 'jUrhu7iTpTWIuTA9tpD'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, aHNIG5q6iLjOvdpIXQL.cs High entropy of concatenated method names: 'K0ZqmaT9H4', 'O7Cq6h4Sk71O6VACB9a', 'OHsa674vOiBrlXVUbO4', 'lZSZw34NLfZAymNgV7n', 'DW9bxC4feUgfKOFRroY', 'bwKN5m41PvbIWZKD7QV', 'IQsVT24GAGyL0WpjtdY', 'igyJeH4ilZp42ix9b03', 'Gh9PMV4lS0eFrn9DNQ3', 'f28'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ifJI8cAqsSutjttMPPs.cs High entropy of concatenated method names: 'TtckmboSYY', 'emHkvIXXbO', 'eSQkJoaymb', 'maZk3R415h', 'I3SAMuvzs7rnlKIdgRV', 'Sem9w8vjlI9mFa2OwsR', 'KGhUJwvchkVXhaK5gQ4', 'LYWtjx1s24XCtWuMwQF', 'pjH06v1ylF1cNP1kRXo', 'T6gg7N1dq0mEUsYT31D'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, qwPxb055ND5jNXjkX4Y.cs High entropy of concatenated method names: 'e4R5ZaCJLo', 'I0l5hHNIG5', 'tLj5MOvdpI', 'YQL5tdwjYb', 'C6E5409XlE', 'P0o5sJQajs', 'AySN2GASyhM4UiRcLV4', 'w1Fj9sAvSJlSpmKLQj3', 'dmD1LDANDGE1L3ujcvi', 'SwtoO8Afo4UijCchiuH'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, a107se5lVlIk0DHTdHW.cs High entropy of concatenated method names: 'Ipj5OB8qOe', 'P5w5uDQa8N', 'oSY52cZ2Cg', 'KWcp5GtYPokKLhBSYhV', 't4dGMJthuTuyoN3Vady', 'WDmlyGtan1pDYmAfpOP', 'S0JYHyt5EjElX6DjBwu', 'Ewga7LtTin6yjskHXYs', 'XrpnWWt9T5yMsMVJVqk', 'QQyfQqtMTIua5vAaG5l'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, gRDhyuAbGT2ZO3lRWCP.cs High entropy of concatenated method names: '_5u9', 'NtPYgjXhs9', 'TgqBlTTn64', 'xVkYW3ebrn', 'Oco1X46Wl4pET5MqWZe', 'gZPdMb6jUotVYsDavLq', 'x9OM8W6cpefgRhN7swN', 'Ci5HKW6QMsrJbneLSHi', 'JG9kDi6qkQacrSDWsTs', 'OqsJeM6z9DMRGUsexHa'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MjjXoe5HiKbiYOg6aXD.cs High entropy of concatenated method names: 'x8GGCXO0CD', 'QooGpvXYZM', 'AA7VN5SQH4KiLTmlXDT', 'ErvuUhSqDOYN0uAynnL', 'gJiF1rSLsExG5xF2UsZ', 'cLnCyhSm54cy5xSrZ0k', 'gdYGwXqVY0', 'Dnkg7mvsOH5OCAv72mW', 'u66miVvyGvhybaifRTx', 'k9WtWPScUd5c3PaSZvf'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, vqHVJNqsEwZ7GAyanOf.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'gRB3y4EutoEMsyLsG40', 'uporgXEXhXiZvWRvlaG', 'povbLwEJPKfgkREjwIJ', 'vSoPZFELADDOUtLoUE9', 'pxwqu0EmPcJq573a6EO', 'FEdNOyEQoVsmDlqhpgK'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, XutXCWqpV5NdtHPsl4Y.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'On0YKurraFsu6nqPvdQ', 'KusrLOr4EZ7wfrku2VG', 'XYFpCSrFGrsl1kBPTHt', 'naJL2ZrRmbEIR79emYd', 'rUl7kOrEPQL2s2iw1NX', 'Aosd6CrtKpDyY1iV4dK'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, TadjyEWpSmwAxm97eoo.cs High entropy of concatenated method names: 'hn6YDm1hdU', 'Pl3YiCprUU', 'N9NymL5miHIkwvLLrQD', 'gQN5895QvN2GcVk0Wxd', 'UYV8ct5qbnvl5E8H3Sb', 'tbVCoa5WmBetV27wyZn', 'q2BWBm5jAJjlKRZ4vba', 'QbWFun5c9ybPxG9kYV1', 'kSHLo75zceivEDyLRI2', 'I0saDBTs9qWalClhJKB'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, QwqtkOawxBV8NXHxWBS.cs High entropy of concatenated method names: 'NhB9a4RMS3', 'ElK9W2vFHe', 'JmS9GYn5EK', 'bfd6KQ7fkyRrHk4GkPB', 'h1Wv5I7SN9cx4tDoPRC', 'Yf8TWN78OZXtIP268Hn', 'qQUDWs7Nf0TuvE7Hw1A', 'WMvoTB7vkNFu7LpTDqE', 'dPLB7D71il8dx1KUPPv', 'uwCxl17GvnU7KB5sPnW'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, oAKOWB5defEN0Wd0e8s.cs High entropy of concatenated method names: 'ndEaifaRmx', 'QxyaTQLyKO', 'qShadGdxlu', 'QSnaFaZeU0', 'Lh7aYlhiwW', 'EjuqKqNsuIXorwQhdY3', 'JWuS05Ny1uIGWWaLhKV', 'Pw69Ja8cdCdTNlL5vO4', 'ELtsne8zeT8wwv3b5be', 'C6NyfLNd1R3EMKYtoD9'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, bYairf5g2sVOYxsaYXI.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'gLkW1m6tex', 'YqXWShqYai', 'Jf2WcsVOYx', 'UaYWgXI2sf', 'oRFWr3Hhg0', 'Hlg4dlSF5Rys7tcnHlE', 'JmdjDGSRiV2TiWrxpMl', 'CnydPsSr9K2YMZU2i1C'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Xt4xiHG2JNraAXfTESg.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, tQTsFGqXkrNruBDBw3q.cs High entropy of concatenated method names: 'CBD5ddRSUu', 'SXC5FWV5Nd', 'SHP5Ysl4YT', 'uWmNvftEw5uJDcmn0n1', 'aCXfEttFLoWakO43rCa', 'OkcC9DtRNgP3OT5eXm4', 'd4JDQgttqlmiL8EEpsb', 'dQq29ctAUUIKjDx1d0E', 's4tlpItpK6KM1dt1Iot', 'xb542UtbN9YjuB9c3gJ'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, cgbNO6GcHd9JetLmSIX.cs High entropy of concatenated method names: 'kiIRgVWKQ6', 'RyaV5w3USZqbArMSTYD', 'DtRcWf3MncEBKDmwKFM', 'YLqfPb3D6sAPLncgjmk', 'xhdQsd3HY58iwUtSSgl', '_1fi', 'qMHIt8IyqX', '_676', 'IG9', 'mdP'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, nAwB1jaM236D7LQrr6q.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oo8o0OaSqh', 'fUCo8HgA0T', 'r8j', 'LS1', '_55S'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, IMyxNWAejqSjhrlFEPd.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'cOqYjg81OF', 'WDlBaPQACU', 'grvY2IBmU9', 'hEAl0qkp9YyYO5OWJDO', 'i6hUBHkbBpOVIrc3ySO', 'BFrV38k8s5UKo65GBOy', 'kperSlkNYUAEa0JcsUM', 'G1vQjjkf5uInvPdBV4k'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, wZ5wWhAturD8eXwwyAV.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'YQwBPJAt3u', 'XtMYi2ZU6p', 'sNOBVI1heh', 'G2uYhv3Tsa', 'DxC5k8k9kSyJ3i4uGsV', 'wfv2HGk0bOqvUbw1CTR', 'nkDAuqk5S0w3hw5VXgY'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, FOAcubG5wQWtAVpq3HA.cs High entropy of concatenated method names: 'T6NuCQqYhu', 'EQTup1tuCL', '_8r1', 'AhwuBcBuOn', 'qNcuPQ3Jnv', 'WYnuVR4L52', 'uihu90ufL4', 'ubnO0IBNVPYqMC7gwyH', 'umbBVtBf9aVgMKRlmO6', 'r1rdlvBSOQpq27l8mJx'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, p0ZpTQqAEYwebhpVJo7.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'xUJyAbVUVEDHCe9pPHM', 'MwAWQoVMBwBGrFNQLm8', 'VqFhkkVoZx8cVndSVmH', 'pA3qjhVYpkMJLLZFLyw', 'qrWmcRVhWWKHYuY3OZl', 'FaNaDfVaacmHgu2y6GF'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, R9NLZ8GFU73VxqnNYqW.cs High entropy of concatenated method names: 'IGD', 'CV5', 'YRpuYc0fes', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, o3WXNoqTZT2OGyRbMVw.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'eKgIFQ4wEPKqc0I2ISh', 'nIyK1n4ghWnxiiy0YJi', 'bBTgJK47e8DMoSRgyT9', 'jt56f34CoN9b9q8T5aH', 'm6QLJZ4DZxZ97hWp2EC', 'Fg1XCh4H1wLGRmTb9do'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, i6PGc5GbFMHFpcihXH3.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'PyjmpmN5vA', 'DNCmBiXMLn', 'sSSmPwsVv3', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Y3IErsGTPKbiAdB9ksM.cs High entropy of concatenated method names: 'OoxuDWbwVX', 'N7Duidt15a', 'HlSuTUjwNk', 'rUGudgAs8i', 'KUNuFoar4m', 'LFSKasBWdgyfBqjhCu3', 'v7eNkSBjjvQ5oOk547L', 'D3CXguBc7J6WPdRtI0J', 'noc0AnBzTCZo1Y6E9A9', 'nZ6RHLOsUVPDJUeUQut'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ABDhNtzOsS6NGRN1a5.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'RR0P0sVIsllh0Wn8cT3', 'TKKhqXVnmGQVXOIuLbp', 'fRAahrVPTc2aqjkL8y6', 'mEuX6sVVgJcgVyuRa4Y', 'sxPrWNVrLSkbZhaGHnn', 'OKIGeAV4TytaU78Lxob'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, dIyA6Qa2I7QNBHiTU3X.cs High entropy of concatenated method names: 'JhjxnFZnHc', 'hHLx1ch5fu', 'TNhxSUoMXw', 'ca5xcIO5Oj', 'bhrxgmhnFO', 'p4OtmJC1V3hhBTpnMYT', 'rpxdxGCSXMJniDugHMp', 'V0yF5sCvYkxi1jQD5Zr', 'CfP786CGD63tU5HWJqa', 'ER6ttiCinmrIYQE1g8t'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, c99XP8AzIWyZM4PAWIN.cs High entropy of concatenated method names: 'SolBIoan0l', 'IKyBR9OFrF', 'MeCBmPs0ap', 'xt4BUFwOK1RRWLZ83Fb', 'aUgcWJwxrlOBax9QI5y', 'Gy8iJPw0ktCZfrKjpHQ', 'HaQETjwBxhoCuZEs686', 'uAfAorw39bjoBAuRHrT', 'Tk6e7swKUYgxduufFOD', 'Qr6jvqweSip5GXj86yT'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, jipr01A89syOccadqia.cs High entropy of concatenated method names: 'yqIChchxTn', 'doUCMEOmV4', 'XneCt2YLpe', 'HZRBWbiebcxhlUIspU1', 'zEcu84iZapl7oW6eigB', 'M2GS49i2TEVICHWrWiO', 'mrVrfPiui7tC5qn7xX2', 'FKd9aCiXv1AjDgBgCKV', 'RoW17qiJWSv7IwtUGEQ', 'jYv2WliL2r7cBh4gqd1'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, TEd8L25wZ43SQv8HlrY.cs High entropy of concatenated method names: 'SW6AUWZKFV', 'KD5AXSFb31', 'lCqec0b1l12CmXa8vCC', 'V8TtkObGvEromD7SQtX', 'y6L1nUbijuoBOISHhNy', 'a1Jbunbly4W7TkrRMxo', 'huHcPQb68B0iJqKOPZU', 'uKroCtbksRlE6PohYGx', 'JXNq7NbwHDMlgWVm4S9', 'MbbEnebgh2lLm1vfntg'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Prw3QokPng87288o8Oa.cs High entropy of concatenated method names: 'LERgfkKKVcJPW', 'UgfyTbe8xi1tAhFeSlo', 'uGAJpJeN0bsPRWBa9NA', 'FGIXo9efmybRtd0O3HI', 'tVVjMEeSv5Y5tUbSHvu', 'y9LG0CevVmfIGkaKUDS', 'bUkXdnephfl73eKEOry', 'pLtYh5ebJmJinLoi54N', 'OHvWV9e1V93eYrmXWRo', 'GKXEojeGo9or8UHfZLS'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, UTfpS9qED3XE9eeCZ73.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'lRPrRD4sDa81OlIL23o', 'OZ9QQ04yEyP2Xlxkfsk', 'gNsJXt4dVFW7xjA614G', 'YZmsTN4I3GtyEJiQBg6', 'yufgkO4npPnfdZASKyX', 'oDjown4PRpbBbHJOtb6'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, PyRUOGqgqRtqYnRyct6.cs High entropy of concatenated method names: 'njTqUWtF6R', 'rPS6seRTMD94wDGMNoW', 'Ol5bAiR9fENKaTkxiRD', 'WLl3CxRal1d2VnaF6Xm', 'G3RLaaR5qEiO3j7cctJ', 'Qg9hQ1R0AS6LRFvqZry', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KcW9XtAN50Z1X5d47LY.cs High entropy of concatenated method names: 'ehhZ5iwTlro6Y7N9Zp2', 'GDSrVkw9Jc5S9ZtSFwj', 'DGcWE8wahFFdVAnq988', 'ykbMXFw5y6TPUrkLaCF', 'IWF', 'j72', 'Jr6BwqooVg', 'BjWBEpiHLH', 'j4z', 'KUyBj34n28'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, mtft3GeEi74YvfFs2W.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'rHvve8n3XvliQd11btq', 'RcLyuinKgr34SvOUxql', 'ejsB0BnekeByrrwILZC', 'QVRdUtnZM2vliaZyEll', 'MZ8P8tn2tGRNNSCNmVi', 'N4dOlbnuLhm064sNCSw'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KqM5P15jZxMCS8AYmnZ.cs High entropy of concatenated method names: 'SeHAzMdqHV', 'DNEalwZ7GA', 'XanaqOf4VK', 'g0Wa5juaT2', 'bkIaAmpqGm', 'y22aa0o1Wi', 'HDQaWtBFqC', 'V7taGPWhC6', 'OOvak0dPgN', 'DrLaCY0sZZ'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, JJk8RKqkunxXMxMMXam.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'pByljgVQ0GK2YFoPv2d', 'M0mJZfVqwucNvZZlEpH', 'YWrhL9VWXicS8FPVGOy', 'jVVDWnVjYgkK8R4FuK7', 'AF46HHVc2jeRbE2gthT', 'ylG8T7VzRZ2b2E8aY7g'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, HBkBTYq1gKdyssDPcsv.cs High entropy of concatenated method names: 'k5EqsGvunF', 'UiPchFRwPaxEJP59xOS', 'VCOvu5Rgp4r2P1osw8h', 'Diy2W2R6aoHT3wCMIcn', 'GWgbp9RkSRGWHon3Red', 'FU4JibR7fdFKExBHTrU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Yg2qhNsJTAeV5EGvun.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'MZ3U4hPDackQYv71fiH', 'WNFAdQPHwoTKTNZ513j', 'Y2EEWdPUnU2ju2N7kW7', 'iVoREqPMOEcB5lNnajw', 'JkPcgYPoUx2x7BnNRYw', 'P8LaCJPYw0fFEpFZTm9'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Vay0bStpDkK5uo8k9O.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'VaV8PMP8gFv7Xp9ySNw', 'f0nJr8PNnM84toDVU29', 'DTYZD0PfYwsfNIT4ToI', 'p4vkwyPSZ4f4CvlCIaU', 'KW9Xm0PvSpbUEM7ZoVO', 'u80odoP1SaFgaYAaksy'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KFKTevGRsWCfb14I8S8.cs High entropy of concatenated method names: 'IlB2p3BSQO', 'ft72BNacQt', 'Gfa2PjKPmH', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'op82VNyjUw'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, q2PKpRWAFjBPlmVHTMi.cs High entropy of concatenated method names: 'jVC0pEY65frgd2FFB9w', 'P0toknYkA6Hhj32bpsV', 'mlGBAgYi18U4uu2doEd', 'p3fXd0YlPhc181k3mxi', 'kDQDYg7ZM3', 'w0LaUjY7Z0DAG5a1wb6', 'YwAjjUYCngoyL4lJU2O', 'vdTWeMYwF9RFyJCDgJk', 'nKYSsxYgBWbkrK8Q1KB', 'bprJ0sYDyl6ZRNGYScB'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, sddQbAN84ojTWtF6Ru.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'Gq9Ob9PKbS9qIaGARqo', 'H4Vrp6PeQpOQaHP2c8H', 'DjhFGSPZZbe636NJtda', 'dvq688P2aeIZdYtIlnl', 'kEBVc1PueFhvwtAhWpf', 'BpBt8SPX9fF6eoJTLra'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, HofxhdqFyju47Cujp8J.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'YPqfNO4an5nNmuWwdgn', 'VpXolX45hy6HDsdQIcR', 'FtkmOs4TOyW0hFjWW3e', 'XoZ0sC490V7s7ov5D2h', 'b1Urgy40jYheH4YpGSq', 'KtoLtF4BpoI9bKqCC4p'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, MIMpXZJbrQTrkkex3D.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'ND7HCJRap', 'y3l0q5d1HdPGekBBrKi', 'zf4S3kdGVS9xGgJfQud', 'BRf4hCdiqWGrws0F0pm', 'RrTInddlnfWDGiuJwZJ', 'IWnQyMd6MWaUwpo9N1I'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, Yvb1lu5RsMQV1DtfgsP.cs High entropy of concatenated method names: 'xU7aUdh9el', 'Mr2aXhggVF', 'HuJazG7Iy5', 'roNWlDkLmU', 'MUAWqx5rVJ', 'fZ8W52R4ke', 'XN1WA9Vxbj', 'BhiWa0dEkQ', 'MgFWWS8AKO', 'xPeSwhNQAvAkS0YCYPD'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, hRhiFdkOxkqmmhF56Ld.cs High entropy of concatenated method names: 'EPZJYmBR6L', 'pF4JOLfAXs', 'UtqJutBQ13', 'FpbJ2hyWt1', 'uA6JIVR0xW', 'GAbJRJpccJ', 'RyGJm62Koy', 'wWYJvDNdA1', 'nfuJJZOOO9', 'mxmJ3J98Hv'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, EOJ9ZKGJPlirCaPVDfq.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'z5I2OO0pF2', 'STZ2uv991L', 'h0x22OhMe5', 'jdd2IE9Erc', 'O3Q2R06ux3', 't5R2mPKTNX', 'yanj69xTdHMAevTepUC'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, dxVuedA7JCPmZNGYT4Z.cs High entropy of concatenated method names: 'sg9', 'r4bYpak0VG', 'w0apURsFRM', 'oYsY59Ewpt', 'lHyxAQ62578mT933cfX', 'zVrNwa6uA3fwGSuGr9S', 'vGm5716XmZcImKZq8x5', 'V3pkRN6el2YY7KB8Rst', 'bvpZqY6ZB24CJWLAx2L', 'pB0ajq6JbryoG7WCMHl'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, JkhFTLq8bTi9yeQjmBK.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'DiG7TyrL96pbJF6q1bu', 'O8J35nrmEMnedKy9wTS', 'SFOZZ7rQUNV9mQ60aQJ', 'AWMWkJrqiGLSbuJNgGa', 'xpOGCsrWGcS66BctaHX', 'SkrAD5rj9dUIwdRlw6K'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, xFsFQIWXVLgVdQBwq8U.cs High entropy of concatenated method names: 'YQnOIR4guS', 'UrjORFv5dP', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'OhGOmy5fED', '_5f9', 'A6Y'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, temqqpkr7nN2vXng8a.cs High entropy of concatenated method names: 'Bqqxpr7nN', 'ml8ZeeYNwkXSkmHK28', 'ttXuu6M4hypsaheLe5', 'dyBOc4or0yQWTgI9f8', 'thfQ0qh8jhbnBepvsO', 'QXCTLoaQ5fxiawODyg', 'jVQ51SWiU', 'HlrAoatPA', 'vNbaHdvGw', 'dN8WM5HtO'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, ywtHvxqt6UgqBV1XtW6.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'aCsv2vEomjZVGf88nw9', 'gtK5l2EYmU9DLsGwTK4', 'MjZq4cEhbG5PS3VQYMh', 'HGBcS9Ea6ouh9Hf7cDK', 'RQEZgTE5WpVPjIwqflM', 'A8fiQbETq4Wk44ZqhES'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, JrmayhSyadicqfmmYC.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'yFR9KEdjaoF6r5A1P2i', 'Tw0jP8dcBuYJmI1xtd1', 'JMcaHydz4L85UXqTrdt', 'e4YbZ2IsiPHRWMrXV3X', 'J11sLcIy5mdDR0ZA69S', 'fdroEGId8rpOaiETyUJ'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, VCdYXq5XVY0DV63UlMe.cs High entropy of concatenated method names: 'eHvkOOKYiX', 'dxMrD1vXDIfwZNCr9E1', 'Rl4IZPv2eJ0IHWCFpTf', 'yKJ08QvuFXT9H3o7nj7', 'P9uEqPvJJ1nBUZxekKm', 'aWXIsXvLPOTbKCGZ1je', 'AaYkjM4Vcd', 'JTWk6dlXYr', 'O2lkDx1usg', 'Po9ki1NjSD'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, o4OkdjW28m5aNwLRmsm.cs High entropy of concatenated method names: 'c8lYrUeCAD', 'FfDYHJuYA8', 'AJaYKrDQTX', 'zUIY7aOup1', 'm55Yfkrehc', 'sqAo4VTDD05O7urAlIH', 'M2FGEfT7mGuADthwHLr', 'VSmPCcTCdl2Z1p2pLFh', 'aF0Jl5THNko4IPiIlvD', 'uacpOPTUk5myTCm1Kv7'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, EOPNF5qeC3UvtCaWHZZ.cs High entropy of concatenated method names: 'rRm5PWnTR6', 'aRR5VgK4ap', 'nmrdM0EtHUw1lExYSPS', 'Y6O1oSERT2mlsEMJIcE', 'aiji1OEERDoxhg3R4Wu', 'OJ3S1vEA4nV6WAVb23q', 'UfxlS3EpK7qr5BESVJw', 'DQUGBcEb98njeG27hj6', 'Sa1y6DE89WhjvGDitqQ', 'Aa4EMIENGBiYG3H9aLi'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, TWRRH07ZaT9H40nGmj.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'V6TkuknE5ltLZ91rSRU', 'XLGnlOnte9SRyJE8WCP', 'ARPICXnAboWVxoOja4X', 'vIpd2rnpeBs9ejlBfrL', 'cV7gBAnbbrov0CdTOHn', 'vJh6Odn8BuPjTiWuKx9'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KuWaqmWQLySX7rErQeU.cs High entropy of concatenated method names: 'FLsOaLTyhQ', 'eQEOWsGg2H', 'OQCOGnCwnI', 'f5gOkCOsRl', 'Ya9OCfWQ1X', 'OcUOpZgOKh', 'J2LOBWpR0P', 'C1COPRToAd', 'OaiOVPWcRL', 'iEZO9a8tI0'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, phXVCjGOlXGNmL0KhFc.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, uhOOeBqoQ3abp9jiEOU.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'upGEHcr01Bf0G0ahWLa', 'eK0s2brBOWVYp3oAKpm', 'lG3AkJrOBVOZrDQESpX', 'ULFXidrxIaOAcqttf9d', 'PCeX65r3J7X6W8cx0xY', 'vZrXCPrKFhPKDXuy8he'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, VFmXvhUCGMGRa8jMYh.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'w2cvj6Pmd1L4A8JKvXU', 'NL9rvWPQ7fajSRoUf4x', 's4XM2ePqeq3pZaKGPvP', 'vUimYbPW83dJg0pdKY0', 'ONbpf7PjDmOGBsjlQX2', 'or70N2PcDcvaYj4chHE'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KUyNelGnit5aoQboi4N.cs High entropy of concatenated method names: 'K3mAAa3nAZO4dYInmOJ', 'ml6ROf3PiDQe95ZQXZt', 'fYKJX03dxmi5RFtgs2W', 'GfkRT43IWjFfDBw1gLe', 'xfU21AIhXM', 'WM4', '_499', 'wQF2S57hGx', 'inB2ceFwEE', 'jGH2gkvTk0'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, P2YLpeaP0o3fkalbrIY.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, uHfWWVqqwYobmxkTvoJ.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'LrgFFrV1C9PRaLrU1qG', 'YDms1NVGQxpsSumDY8g', 'vQdZpKVijiKRBCutv4C', 'aX9nODVl8ElSFOsykOW', 'ohoh8nV6We3EOjvKjIH', 'QfOuR4VkOQfT73q3dln'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, KZoopqAsCOHlZgkt7Z1.cs High entropy of concatenated method names: '_269', '_5E7', 'vTKYfqbGnP', 'Mz8', 'maJYCSj3GE', 'Sbd6tekJH2E2aygxevd', 'UcwJmqkLHqQGQtegTgi', 'WWWou2kmNy9B3eLSkEM', 'QFV2OYkQ6p0vUdgWxwJ', 'GVRu4Nkqr8XmHEkodou'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, xyJRufW3SOLC23yo3O1.cs High entropy of concatenated method names: 'sE1Y4rR4uQ', 'wONYsthAn8', 'saQYQof65S', 'XYPYNBC0RM', 'WbcYySw2AI', 'e2xYUrKTfR', 'kGhWmET22ihLk7R9Lbv', 'VH7YB8TeBETnRadMH9D', 'pu2O21TZYw3QTYuDd5J', 'YNUW7OTucqbxbTKJ97i'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs High entropy of concatenated method names: 'i97Xqee74fP01gqmUUi', 'XsDpdKeCePPkBKxFbfI', 'mYBwojewOJxNqTWsOCq', 'cBbSgGegSNmyqW8qXOd', 'LhFJoCLL5y', 'qqNsr6eUTtFJesLLEmw', 'xrYlNreMnKL6QSe755y', 'kN5fBWeonGkaWwgi1mn', 'wd1SkdeYhXZPUq1PvnH', 'qSX0fEehTyxMAKBeOYC'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, cdUXoeb8agJWIZB4gk.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'fbNNHVnSjNroKlhtS2g', 'xCPsEenvuYLxZr82nCM', 'Vfnq92n1nkSSA6Am72r', 'bEYlFBnGyRNJqZpPWxw', 'lHF9cXnidBJMIXiaqF0', 'BmK3LHnlp5p0lhmbhw2'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, aoan0laUcKy9OFrFfeC.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, uAnvdgaNDr5V29lh6qD.cs High entropy of concatenated method names: 'FrA0OX3Pri', 'cAp02ZQi7A', 'tF00x3w6cs', 'K3P0o9WJeq', 'CBA00M9qVn', 'ddp0864qn1', 'up10wEI5GK', 'CGq0EG3rKM', 'DNu0jcEjYF', 'SWl06kQVXR'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, USa03AGMwBgddTCKYsG.cs High entropy of concatenated method names: 'E8XmdM3Bga', '_1kO', '_9v4', '_294', 'tM9mFDIgLD', 'euj', 'duEmYVXQTl', 'Lr7mOjCJDI', 'o87', 'eI5muubVA8'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, qYkQ3Ya92hWVoWiEWfR.cs High entropy of concatenated method names: 'Yu6VSSIDHA', 'VSYVcdrMpr', 'kOFVgsFQIV', 'OgVVrdQBwq', 'pUfVHLDFij', 'YU0ZX6gcLHb6LPOiEQc', 'NOZ0trgzSYiP5np7Tni', 'srlDetgWLHcdS3uxFoC', 'pFdymDgjeFNPOC84pU4', 'UUeb0v7sSQ2ZIkovB1o'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, oSYcZ2qPCgtBmAFMtME.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'jNYS6Gr18Lt5xrca1x3', 'gtL4NrrGneAcliHB3U9', 'xS9WFSriFY0ExgetKPF', 'FOnU1JrlKnZiKDwD7tI', 'CPC9qAr6ZR099CsUZZP', 'U59xsurk1Et8tsYSFb9'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, YVOvHbapeiRbuNCAreu.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, XGKZXQGGmXBKKXQeq2O.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.7FErKDnzhp.exe.4ef4523.0.raw.unpack, mSDZSUW1GtZvrO2s7IK.cs High entropy of concatenated method names: 'mtfOlJx3f7', 'jaORhVTWfx2UiSchRCe', 'eniNnRTQK7DyCRjyQw2', 'xW20eETqHD4UxoHjtEj', 'TvIAAiTjfCTHuocc9BI', 'd483rGTcE3NVl0J6eP5', 'xg1cF1TzgA2kbpo5mbQ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, K6N7lOGlonRUf9sqLPL.cs High entropy of concatenated method names: 'lrXOL6mPhM', 'yIaOe3UZvD', 'yL7OZQydnP', 'cqSOh6Y12w', 'qpSOM65QGZ', 'B95OtoYGnd', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, yJG7Iy5D5joNDkLmU7U.cs High entropy of concatenated method names: 'K4waxl107s', 'PVlaoIk0DH', 'mfmQZM8w2vbSYdB34Ye', 'J89Avb8guxQvDAEehLc', 'JlCuck86mcyYse9Rxey', 'rxD4Fa8kNef2hQDGFaC', 'h3CLaE87TuRvuoi2v7q', 'lTxFCh8CJ9kk3IKnwIa', 'c4mgOY8DVO5v6ZGb18K', 'tcV87w8He3xEAWstmAL'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, qbp5BXIMEjKJGPJqsJ.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'Qe05gedEPDU62BWnELD', 'jIKLDWdts7HesrBjQMl', 'XSqY0udAkjYcV988fEw', 'wv1aEldpESBC30D69DH', 'R0Pt2SdbbKf7k9oQRvo', 'uAwY8Bd8qAgFk3AYart'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Nl3NWdHqxke2CTFRp8.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'iyiaJGIq5QsY2pG6daN', 'nnDaMRIWUcdKlCbcApY', 'HV06HGIj5cdWxbuPBjI', 'QyFIW6IceDGKdNJtAtK', 'cOngtbIzdXfLkUi4Xau', 'OQZodGnsbALt6EBapyU'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, xcsaHgAa3Cp5p0EbQC4.cs High entropy of concatenated method names: 'SjGk74Dvqd', 'kcfkfK42NF', 'jSakbWF2Uy', 'WENkLQt6F1', 'U9vkenXC6J', 'DlkkZQsaK0', 'bE9lNU1HPFIAwQJvPlR', 'WqNmZD1CpbREUT3flhc', 'oDZjtp1DeBNbDpQDulm', 'Pwo9gQ1UG8AiMIIhl5i'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, NDcl0jq9iwNQkYsChfK.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UH9rbFrCPmlK17mRlGv', 'cLnQOCrD6utQJvxyEL1', 'NuCOqYrHF3eJ1uIkY9K', 'WVqoUQrU11hScDiZAW2', 'wabKjtrMuS65ZeQENBe', 'PP1h8qroxbj64nV3dNy'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, OcHMtnAhRuYZVpWl5v4.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'srcYK4e228', '_168', 'nGREhGkgkBavm6A3Ir4', 'OqCwbxk7OiD7UEhgZD7', 'xWWf06kCJAGXbRK39o2', 'cU0k8YkDwgC9RskW8Gh', 'xZqsKpkHMjt5Qsx4oDs'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, qEq3qkqvo2HeVi6n5V1.cs High entropy of concatenated method names: 'bjMqLKTP2i', 'Ih0VFJRdY4fEsoGsyEn', 'Csu8E1RIXZvZCi7yFPL', 'rSUvtLRsliewtswWppF', 'wWWWdaRyA0QGP6gnnEn', 'DPwJdtRnGCQC54nEwcy', 'k8MqViRPOFVTs2HYTYR', 'gUlC4DRVBBRAljVZNps', 'NSpqZDkK5u', 'ccvRFHRFvYyYJB62fNP'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, sE1LpraW84DG9nJlj5y.cs High entropy of concatenated method names: 'BOQVwn9Cil', 'CIBrVvgvD2ANDQ2jCen', 'kLYLU4g18yDtIV3gxUJ', 'rb9PNCgfSeowVsWffZU', 'F7DSAGgSNhN6HTbB0J9', 'yZYBv5Uedr', 'rXABJkfFUU', 'rQsB3jo6XO', 'goSBnXGE0F', 'fseB17mW95'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, bWZkvgWvRmHnjWxJSHw.cs High entropy of concatenated method names: 'KBkYZe9HYY', 'kfPYhxcRNT', 'jHQYMZbSsu', 'L632KLTBYpkPfVtFdsA', 'YsqpSDT97el8ML4XLOJ', 'CB63TaT0PawOUJ1nj18', 'LX6Q4oTOjRpQbrOKYnL', 'q9TuVWTxYJEAwYQhxUG', 'WaSw1hT3IdMxdK18AxV', 'mmVPiGTKQo1chcZT7ZU'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, pwP89vhPReMv8N84dW.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'wQMCe7PVK1prPSNGvas', 'S5edswPrq41mHhNpMum', 'KJTnErP4oBvQTPNwZc6', 'yftIxyPF16HwEuBqnbq', 'VRRQgOPRnA5bOPkQaI7', 'hXOh04PEHILONhVgI8r'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, tVcTFNWyYtFrDUsuD63.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'lwcOFqPCjt', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MbJh8YA6sPvZCanPP1V.cs High entropy of concatenated method names: 'PSSp0hoyNs', 'SiJp8rqu20', 'Y80pwHViIV', 'VZeSY7l3whIZZn0CSFC', 'KPNdoQlOm4aXMAbFfVW', 'tNHO5BlxAUgEwPwAIs0', 'EWlqgxlKDPgExaRK8f0', 'HZwpGqtkOx', 'iV8pkNXHxW', 'jSZpCeRXfw'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, qNEAO6AEB5WeuoJt99g.cs High entropy of concatenated method names: 'no3C4fkalb', 'JIYCsksQtf', 'MFiCQ9GJ5S', 'McKCNAEYkQ', 'EY2CyhWVoW', 'mWCTgllV4P067p1k3nH', 'hcOjg9lrXZyeYHeYhBb', 'y7Jm7dlnoGF41bEYZvU', 'TAjZy4lPlYfRr7n8e65', 'RXL988l4csWsmS2BYdF'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, gcNRvO51YhNxKC4b2ro.cs High entropy of concatenated method names: 'bCcWmNRvOY', 'geiwllfjRWw0QDl1JZC', 'sMiiOUfca5Sae1Hl2cZ', 'cY2ydufqVliIEP1DsgQ', 'uGqxsafWqMS2M4w1Sr3', 'samWncfzccOratWSbuR', 'hGXTYBSsMrLHaTwoQVV', 'NQ9cvLSy5gcGITj9RsX', 'nHZk4gSdRnEXolmCg08', 'eSqgauSIUj2D1COsxQI'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, iJxBkLqRuNNwNBCDWSA.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'TFhvg5F54DwdWbboJ41', 'FXifNVFTBOXW3av580i', 'CJFhCJF9PXPZGLbvViH', 'mTq0NbF076OwfrQaMZ1', 'MJcA2JFB649yVl5VL13', 'rNmBySFOUeD5AaaQUel'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, tLMu3qA96l5jctRssxN.cs High entropy of concatenated method names: '_223', 'vtdjNdiSpg9doPD0eEW', 'gaDNEdivAfCC8IPq83K', 'o5GNfgi1tfFsUwvaYky', 'v06VgHiGSmEaP9BSBbk', 'xPy2gtiiqomdxIqHhbj', 'f1Cmtjil824Tfj2cDIf', 'lXUgfLi66QcdmthNLRT', 'isnVGcikeuvZ18MtMPP', 'Vo9fA1iwB5xsClo8KvI'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, IUHK71njYvqR4WsN1b.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'Xl4fg6kOi', 'dJe7IwdakgXCUjp0eAc', 'zifmE5d5Bf4LVdfMD3i', 'r8mxi2dTVOEtRfnKWCF', 'QA4jGad9pQeolDNDVJj', 'AxZqjed0N8sZ1rTGsbd'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Lh87GoAYtrQ8gOMLJ90.cs High entropy of concatenated method names: 'OgJp3jRVud', 'lUFpno535o', 'HuD4dE6vI9ifCc3mWKk', 'P6cDdP61tpOoNpqqBIV', 'BRoGbS6fDWe94cXM1Ai', 'CLJHav6STXS70Xv61Lf', 'GkjQT56GyhFS32vTjhS', 'jxw9bF6iAaISoBt4Msf'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, RroGc1uOcpTPtbcYU8.cs High entropy of concatenated method names: 'nQ812e9VY', 'mpBS7MpGT', 'eEWcyIThk', 'o6glphy91LcLka5VIvd', 'UXgU7wy53ab8F9CFL1E', 'wtikW9yTCdfHfd0OWOp', 'OPodfMy03CdvnZpnKEM', 'smHUaeyBjxsqmbqiguy', 'vr8k5VyOcxZD8h1TmEZ', 'zZNDlByxrKMpMVPPekn'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, rGoH2ZATyybnEsxbi5k.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'qg8lXi6p9cEXMZjWxJr', 'TFNiqq6bTHCIsqGtmU9', 'z7YBnR68hdbOwQxXXew', 'WBfNaS6NpSreW4ygrcW'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, egAXU7qKkvhxM1xkyqi.cs High entropy of concatenated method names: 'hGM5qGRa8j', 'SYh55Z0eUN', 'LyI5AqTNvl', 'c9DxidRJrW7ia39S7qI', 'msnxPuRLQGf7kF7VDgW', 'nlRqCKRu2Lv423xsIIb', 'ghpHtpRXVHAgi63GkW3', 'U44MyuRmP17wIkZbw3L', 'OH7YxfRQkbBt3MXbyni', 'xhWtLeRqZYe5hiPW55I'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, C6wZXIaYmLxgFOkdkEv.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'KUyxlNelit', '_3il', 'caoxqQboi4', 'WxZx5QFQH3', '_78N', 'z3K'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, fmO220qNo1WicDQtBFq.cs High entropy of concatenated method names: 'o6X56IrJk8', 'VEn5uLtV1vGreRT99dk', 'FXD7Y7trT8qNwaUcgaP', 'LKpmEHtnmtTevGiCmIN', 'bZo4pZtPX9lbjsGCXxR', 'sVvRS9t4agJU6qj1wJb', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ibywOO5pCgSTCqvvdSx.cs High entropy of concatenated method names: 's3AA3Y2MET', 'LrnAnoA5j0', 'kWgA1AXU7k', 'DhxASM1xky', 'aiKAcomYhM', 'lu1Ag1viNG', 'dQ2ArlhaD0', 'zFk5cJpwlBhXKKarSOl', 'pGitAnp6GcA8ikCjx9Y', 'XK2mf1pk1AvDkqwD9G4'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, aZ78nfqOgHmAcdJ60Cl.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'ADZMsg4Za6GxaquO3qn', 'AKGFOi42SBCtKYTWM7t', 'ySBd9I4ubkNH1dew81M', 'Qp78l54XOgHQk20A6AI', 'bdTNo94Jb7CjWpVKET6', 'jwWIxj4Lfqw9Ly3Z143'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, reNWGa5oWkveOlIBw6L.cs High entropy of concatenated method names: 'ApOANwtHvx', 'cOaMYvbIiYkMI4AZO7u', 'EmHDGBbn73f1UwsXutJ', 'zQouYcby33WHt04JeXh', 't7hBPcbd1lQSytmR2di', 'FJmGPdbPZwX4hfdwUjc', 'l4M8ajbVpP77F2p6Qcq', 'cqj7aAbr4yfLjq2Vaj8', 'a04vYYb4qj2u5sFU4yk', 'KLnYmXbFOWcwOCbmPhw'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, WsMiJraiqu20X80HViI.cs High entropy of concatenated method names: 'RIw9nXp5tV', 'n2091rdh9N', 'OZ89SU73Vx', 'bnN9cYqW7O', 'SR99gFKSpx', 'sDDIo97arkJDgMEXDU8', 'JFZWD475CMJHwI3GfZm', 'fZc5Cg7YZajvtNxPyn7', 'fEg1ug7hr7sP8W0vwaM', 'n11xxu7TQEPDh3tqDto'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, tU8kI2qhkEZnru0QhvV.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'OgSaShEiSQjISbgP7HJ', 'PV0qSuElJEnPEltuLJf', 'umTBP1E6AolvLli9Dtp', 'qpxw43Ek9ilQDCKO7sf', 'VviscJEwxqEhyQvU36Q', 'Qf2HG9EgVZNNsh7m3fx'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, D0BsuTq2ZtfpZcyuUAJ.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'CQMw1w4cZL7xEQfnl0k', 'pxAHMY4zjdg3JPQTdQv', 'koM2MPFseJNeZX07MkO', 'SqtCBDFymg6lFRLWIcp', 'wnBMdxFdRMiZY9EtwrI', 'RyPUleFI7FkQeE85igQ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, XW1OEJd1DPxdMyw9n9.cs High entropy of concatenated method names: 'Fs2YmHSbf', 'XNmOdZUBI', 'yXYudlHO8', 'sKO2FQZFG', 'QEuIKTNl1', 'DsPRsjZVg', 'GCnmxdZxU', 'BKubOMy4wnWM9UHfBg8', 'S3Sc6ayF6yowf3yVrFg', 'yHQ64XyRjgOG7NMkk6m'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, oj5GGxgArlEDggQT90.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'kmiO9DI5wqG2jeGy5dn', 'n9qbeoITwD7bq0cSBaL', 'UrjDgDI9pwDhIiEZY44', 'pI5cgdI00TsulhkTF8i', 'WEboxDIBU3gLc7M5q1K', 'BpMIRtIO3WyoHhUISAF'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, PVXmxSasIb62aO5uKEO.cs High entropy of concatenated method names: 'IxioUJOQOC', 'ULIo1I1N2I', 'JDEoSTGE1S', 'j5WocKfGSa', 'LfvogGBQEY', 'AiCorkibWk', 'c16oHCIwCG', 'VfvoKupDdE', 'tPko7T6OZE', 'WXEofJremy'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, D41wTOajhpfGEGj2EpR.cs High entropy of concatenated method names: '_7zt', 'M2P96uAKCB', 'jlj9DHIj6w', 'OOb9i3FVdL', 'KSk9TP8hGI', 'bh89dfQCl9', 'hui9FgBuis', 'hRdTfw76TYwEoio7oxd', 'WfCCSf7kshBrAGdt2fy', 'tCCwR47i41KoWSTo3FV'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MIBgZtW4IjygD68hG9L.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KITEXiABkR2Ko0LjRCB.cs High entropy of concatenated method names: 'xogCnpCLjd', 'Tf2C1a8m12', 'xO1CSJO2am', 'VU4UgKibuwQAC8x5WRE', 'zGdDExiAqT088FD16R4', 'euNMYyipULNh9oKY9tu', 'YsfpUTi87Uhm3aYiXpj', 'KlZC0gkt7Z', 'FfcC8YE2pO', 'oqdCwFAU7d'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, pqxxEgAo31CLdf4pIph.cs High entropy of concatenated method names: 'uHOCfVixLu', 'ykoCbxsLOW', 'PuRCLYYwps', 'YVOCevHbei', 'EYEoMcih5IVU0V7U4ZB', 'gg0CEWiaEliN1TSwqyp', 'swBQcYi5JmFWdavYMCN', 'p5kq5vioIRVK32MG9Bf', 'bhRJJkiYLVVlo4yoG3w', 'jUrhu7iTpTWIuTA9tpD'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, aHNIG5q6iLjOvdpIXQL.cs High entropy of concatenated method names: 'K0ZqmaT9H4', 'O7Cq6h4Sk71O6VACB9a', 'OHsa674vOiBrlXVUbO4', 'lZSZw34NLfZAymNgV7n', 'DW9bxC4feUgfKOFRroY', 'bwKN5m41PvbIWZKD7QV', 'IQsVT24GAGyL0WpjtdY', 'igyJeH4ilZp42ix9b03', 'Gh9PMV4lS0eFrn9DNQ3', 'f28'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ifJI8cAqsSutjttMPPs.cs High entropy of concatenated method names: 'TtckmboSYY', 'emHkvIXXbO', 'eSQkJoaymb', 'maZk3R415h', 'I3SAMuvzs7rnlKIdgRV', 'Sem9w8vjlI9mFa2OwsR', 'KGhUJwvchkVXhaK5gQ4', 'LYWtjx1s24XCtWuMwQF', 'pjH06v1ylF1cNP1kRXo', 'T6gg7N1dq0mEUsYT31D'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, qwPxb055ND5jNXjkX4Y.cs High entropy of concatenated method names: 'e4R5ZaCJLo', 'I0l5hHNIG5', 'tLj5MOvdpI', 'YQL5tdwjYb', 'C6E5409XlE', 'P0o5sJQajs', 'AySN2GASyhM4UiRcLV4', 'w1Fj9sAvSJlSpmKLQj3', 'dmD1LDANDGE1L3ujcvi', 'SwtoO8Afo4UijCchiuH'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, a107se5lVlIk0DHTdHW.cs High entropy of concatenated method names: 'Ipj5OB8qOe', 'P5w5uDQa8N', 'oSY52cZ2Cg', 'KWcp5GtYPokKLhBSYhV', 't4dGMJthuTuyoN3Vady', 'WDmlyGtan1pDYmAfpOP', 'S0JYHyt5EjElX6DjBwu', 'Ewga7LtTin6yjskHXYs', 'XrpnWWt9T5yMsMVJVqk', 'QQyfQqtMTIua5vAaG5l'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, gRDhyuAbGT2ZO3lRWCP.cs High entropy of concatenated method names: '_5u9', 'NtPYgjXhs9', 'TgqBlTTn64', 'xVkYW3ebrn', 'Oco1X46Wl4pET5MqWZe', 'gZPdMb6jUotVYsDavLq', 'x9OM8W6cpefgRhN7swN', 'Ci5HKW6QMsrJbneLSHi', 'JG9kDi6qkQacrSDWsTs', 'OqsJeM6z9DMRGUsexHa'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MjjXoe5HiKbiYOg6aXD.cs High entropy of concatenated method names: 'x8GGCXO0CD', 'QooGpvXYZM', 'AA7VN5SQH4KiLTmlXDT', 'ErvuUhSqDOYN0uAynnL', 'gJiF1rSLsExG5xF2UsZ', 'cLnCyhSm54cy5xSrZ0k', 'gdYGwXqVY0', 'Dnkg7mvsOH5OCAv72mW', 'u66miVvyGvhybaifRTx', 'k9WtWPScUd5c3PaSZvf'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, vqHVJNqsEwZ7GAyanOf.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'gRB3y4EutoEMsyLsG40', 'uporgXEXhXiZvWRvlaG', 'povbLwEJPKfgkREjwIJ', 'vSoPZFELADDOUtLoUE9', 'pxwqu0EmPcJq573a6EO', 'FEdNOyEQoVsmDlqhpgK'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, XutXCWqpV5NdtHPsl4Y.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'On0YKurraFsu6nqPvdQ', 'KusrLOr4EZ7wfrku2VG', 'XYFpCSrFGrsl1kBPTHt', 'naJL2ZrRmbEIR79emYd', 'rUl7kOrEPQL2s2iw1NX', 'Aosd6CrtKpDyY1iV4dK'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, TadjyEWpSmwAxm97eoo.cs High entropy of concatenated method names: 'hn6YDm1hdU', 'Pl3YiCprUU', 'N9NymL5miHIkwvLLrQD', 'gQN5895QvN2GcVk0Wxd', 'UYV8ct5qbnvl5E8H3Sb', 'tbVCoa5WmBetV27wyZn', 'q2BWBm5jAJjlKRZ4vba', 'QbWFun5c9ybPxG9kYV1', 'kSHLo75zceivEDyLRI2', 'I0saDBTs9qWalClhJKB'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, QwqtkOawxBV8NXHxWBS.cs High entropy of concatenated method names: 'NhB9a4RMS3', 'ElK9W2vFHe', 'JmS9GYn5EK', 'bfd6KQ7fkyRrHk4GkPB', 'h1Wv5I7SN9cx4tDoPRC', 'Yf8TWN78OZXtIP268Hn', 'qQUDWs7Nf0TuvE7Hw1A', 'WMvoTB7vkNFu7LpTDqE', 'dPLB7D71il8dx1KUPPv', 'uwCxl17GvnU7KB5sPnW'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, oAKOWB5defEN0Wd0e8s.cs High entropy of concatenated method names: 'ndEaifaRmx', 'QxyaTQLyKO', 'qShadGdxlu', 'QSnaFaZeU0', 'Lh7aYlhiwW', 'EjuqKqNsuIXorwQhdY3', 'JWuS05Ny1uIGWWaLhKV', 'Pw69Ja8cdCdTNlL5vO4', 'ELtsne8zeT8wwv3b5be', 'C6NyfLNd1R3EMKYtoD9'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, bYairf5g2sVOYxsaYXI.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'gLkW1m6tex', 'YqXWShqYai', 'Jf2WcsVOYx', 'UaYWgXI2sf', 'oRFWr3Hhg0', 'Hlg4dlSF5Rys7tcnHlE', 'JmdjDGSRiV2TiWrxpMl', 'CnydPsSr9K2YMZU2i1C'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Xt4xiHG2JNraAXfTESg.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, tQTsFGqXkrNruBDBw3q.cs High entropy of concatenated method names: 'CBD5ddRSUu', 'SXC5FWV5Nd', 'SHP5Ysl4YT', 'uWmNvftEw5uJDcmn0n1', 'aCXfEttFLoWakO43rCa', 'OkcC9DtRNgP3OT5eXm4', 'd4JDQgttqlmiL8EEpsb', 'dQq29ctAUUIKjDx1d0E', 's4tlpItpK6KM1dt1Iot', 'xb542UtbN9YjuB9c3gJ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, cgbNO6GcHd9JetLmSIX.cs High entropy of concatenated method names: 'kiIRgVWKQ6', 'RyaV5w3USZqbArMSTYD', 'DtRcWf3MncEBKDmwKFM', 'YLqfPb3D6sAPLncgjmk', 'xhdQsd3HY58iwUtSSgl', '_1fi', 'qMHIt8IyqX', '_676', 'IG9', 'mdP'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, nAwB1jaM236D7LQrr6q.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oo8o0OaSqh', 'fUCo8HgA0T', 'r8j', 'LS1', '_55S'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, IMyxNWAejqSjhrlFEPd.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'cOqYjg81OF', 'WDlBaPQACU', 'grvY2IBmU9', 'hEAl0qkp9YyYO5OWJDO', 'i6hUBHkbBpOVIrc3ySO', 'BFrV38k8s5UKo65GBOy', 'kperSlkNYUAEa0JcsUM', 'G1vQjjkf5uInvPdBV4k'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, wZ5wWhAturD8eXwwyAV.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'YQwBPJAt3u', 'XtMYi2ZU6p', 'sNOBVI1heh', 'G2uYhv3Tsa', 'DxC5k8k9kSyJ3i4uGsV', 'wfv2HGk0bOqvUbw1CTR', 'nkDAuqk5S0w3hw5VXgY'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, FOAcubG5wQWtAVpq3HA.cs High entropy of concatenated method names: 'T6NuCQqYhu', 'EQTup1tuCL', '_8r1', 'AhwuBcBuOn', 'qNcuPQ3Jnv', 'WYnuVR4L52', 'uihu90ufL4', 'ubnO0IBNVPYqMC7gwyH', 'umbBVtBf9aVgMKRlmO6', 'r1rdlvBSOQpq27l8mJx'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, p0ZpTQqAEYwebhpVJo7.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'xUJyAbVUVEDHCe9pPHM', 'MwAWQoVMBwBGrFNQLm8', 'VqFhkkVoZx8cVndSVmH', 'pA3qjhVYpkMJLLZFLyw', 'qrWmcRVhWWKHYuY3OZl', 'FaNaDfVaacmHgu2y6GF'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, R9NLZ8GFU73VxqnNYqW.cs High entropy of concatenated method names: 'IGD', 'CV5', 'YRpuYc0fes', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, o3WXNoqTZT2OGyRbMVw.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'eKgIFQ4wEPKqc0I2ISh', 'nIyK1n4ghWnxiiy0YJi', 'bBTgJK47e8DMoSRgyT9', 'jt56f34CoN9b9q8T5aH', 'm6QLJZ4DZxZ97hWp2EC', 'Fg1XCh4H1wLGRmTb9do'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, i6PGc5GbFMHFpcihXH3.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'PyjmpmN5vA', 'DNCmBiXMLn', 'sSSmPwsVv3', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Y3IErsGTPKbiAdB9ksM.cs High entropy of concatenated method names: 'OoxuDWbwVX', 'N7Duidt15a', 'HlSuTUjwNk', 'rUGudgAs8i', 'KUNuFoar4m', 'LFSKasBWdgyfBqjhCu3', 'v7eNkSBjjvQ5oOk547L', 'D3CXguBc7J6WPdRtI0J', 'noc0AnBzTCZo1Y6E9A9', 'nZ6RHLOsUVPDJUeUQut'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ABDhNtzOsS6NGRN1a5.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'RR0P0sVIsllh0Wn8cT3', 'TKKhqXVnmGQVXOIuLbp', 'fRAahrVPTc2aqjkL8y6', 'mEuX6sVVgJcgVyuRa4Y', 'sxPrWNVrLSkbZhaGHnn', 'OKIGeAV4TytaU78Lxob'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, dIyA6Qa2I7QNBHiTU3X.cs High entropy of concatenated method names: 'JhjxnFZnHc', 'hHLx1ch5fu', 'TNhxSUoMXw', 'ca5xcIO5Oj', 'bhrxgmhnFO', 'p4OtmJC1V3hhBTpnMYT', 'rpxdxGCSXMJniDugHMp', 'V0yF5sCvYkxi1jQD5Zr', 'CfP786CGD63tU5HWJqa', 'ER6ttiCinmrIYQE1g8t'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, c99XP8AzIWyZM4PAWIN.cs High entropy of concatenated method names: 'SolBIoan0l', 'IKyBR9OFrF', 'MeCBmPs0ap', 'xt4BUFwOK1RRWLZ83Fb', 'aUgcWJwxrlOBax9QI5y', 'Gy8iJPw0ktCZfrKjpHQ', 'HaQETjwBxhoCuZEs686', 'uAfAorw39bjoBAuRHrT', 'Tk6e7swKUYgxduufFOD', 'Qr6jvqweSip5GXj86yT'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, jipr01A89syOccadqia.cs High entropy of concatenated method names: 'yqIChchxTn', 'doUCMEOmV4', 'XneCt2YLpe', 'HZRBWbiebcxhlUIspU1', 'zEcu84iZapl7oW6eigB', 'M2GS49i2TEVICHWrWiO', 'mrVrfPiui7tC5qn7xX2', 'FKd9aCiXv1AjDgBgCKV', 'RoW17qiJWSv7IwtUGEQ', 'jYv2WliL2r7cBh4gqd1'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, TEd8L25wZ43SQv8HlrY.cs High entropy of concatenated method names: 'SW6AUWZKFV', 'KD5AXSFb31', 'lCqec0b1l12CmXa8vCC', 'V8TtkObGvEromD7SQtX', 'y6L1nUbijuoBOISHhNy', 'a1Jbunbly4W7TkrRMxo', 'huHcPQb68B0iJqKOPZU', 'uKroCtbksRlE6PohYGx', 'JXNq7NbwHDMlgWVm4S9', 'MbbEnebgh2lLm1vfntg'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Prw3QokPng87288o8Oa.cs High entropy of concatenated method names: 'LERgfkKKVcJPW', 'UgfyTbe8xi1tAhFeSlo', 'uGAJpJeN0bsPRWBa9NA', 'FGIXo9efmybRtd0O3HI', 'tVVjMEeSv5Y5tUbSHvu', 'y9LG0CevVmfIGkaKUDS', 'bUkXdnephfl73eKEOry', 'pLtYh5ebJmJinLoi54N', 'OHvWV9e1V93eYrmXWRo', 'GKXEojeGo9or8UHfZLS'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, UTfpS9qED3XE9eeCZ73.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'lRPrRD4sDa81OlIL23o', 'OZ9QQ04yEyP2Xlxkfsk', 'gNsJXt4dVFW7xjA614G', 'YZmsTN4I3GtyEJiQBg6', 'yufgkO4npPnfdZASKyX', 'oDjown4PRpbBbHJOtb6'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, PyRUOGqgqRtqYnRyct6.cs High entropy of concatenated method names: 'njTqUWtF6R', 'rPS6seRTMD94wDGMNoW', 'Ol5bAiR9fENKaTkxiRD', 'WLl3CxRal1d2VnaF6Xm', 'G3RLaaR5qEiO3j7cctJ', 'Qg9hQ1R0AS6LRFvqZry', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KcW9XtAN50Z1X5d47LY.cs High entropy of concatenated method names: 'ehhZ5iwTlro6Y7N9Zp2', 'GDSrVkw9Jc5S9ZtSFwj', 'DGcWE8wahFFdVAnq988', 'ykbMXFw5y6TPUrkLaCF', 'IWF', 'j72', 'Jr6BwqooVg', 'BjWBEpiHLH', 'j4z', 'KUyBj34n28'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, mtft3GeEi74YvfFs2W.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'rHvve8n3XvliQd11btq', 'RcLyuinKgr34SvOUxql', 'ejsB0BnekeByrrwILZC', 'QVRdUtnZM2vliaZyEll', 'MZ8P8tn2tGRNNSCNmVi', 'N4dOlbnuLhm064sNCSw'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KqM5P15jZxMCS8AYmnZ.cs High entropy of concatenated method names: 'SeHAzMdqHV', 'DNEalwZ7GA', 'XanaqOf4VK', 'g0Wa5juaT2', 'bkIaAmpqGm', 'y22aa0o1Wi', 'HDQaWtBFqC', 'V7taGPWhC6', 'OOvak0dPgN', 'DrLaCY0sZZ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, JJk8RKqkunxXMxMMXam.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'pByljgVQ0GK2YFoPv2d', 'M0mJZfVqwucNvZZlEpH', 'YWrhL9VWXicS8FPVGOy', 'jVVDWnVjYgkK8R4FuK7', 'AF46HHVc2jeRbE2gthT', 'ylG8T7VzRZ2b2E8aY7g'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, HBkBTYq1gKdyssDPcsv.cs High entropy of concatenated method names: 'k5EqsGvunF', 'UiPchFRwPaxEJP59xOS', 'VCOvu5Rgp4r2P1osw8h', 'Diy2W2R6aoHT3wCMIcn', 'GWgbp9RkSRGWHon3Red', 'FU4JibR7fdFKExBHTrU', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Yg2qhNsJTAeV5EGvun.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'MZ3U4hPDackQYv71fiH', 'WNFAdQPHwoTKTNZ513j', 'Y2EEWdPUnU2ju2N7kW7', 'iVoREqPMOEcB5lNnajw', 'JkPcgYPoUx2x7BnNRYw', 'P8LaCJPYw0fFEpFZTm9'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Vay0bStpDkK5uo8k9O.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'VaV8PMP8gFv7Xp9ySNw', 'f0nJr8PNnM84toDVU29', 'DTYZD0PfYwsfNIT4ToI', 'p4vkwyPSZ4f4CvlCIaU', 'KW9Xm0PvSpbUEM7ZoVO', 'u80odoP1SaFgaYAaksy'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KFKTevGRsWCfb14I8S8.cs High entropy of concatenated method names: 'IlB2p3BSQO', 'ft72BNacQt', 'Gfa2PjKPmH', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'op82VNyjUw'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, q2PKpRWAFjBPlmVHTMi.cs High entropy of concatenated method names: 'jVC0pEY65frgd2FFB9w', 'P0toknYkA6Hhj32bpsV', 'mlGBAgYi18U4uu2doEd', 'p3fXd0YlPhc181k3mxi', 'kDQDYg7ZM3', 'w0LaUjY7Z0DAG5a1wb6', 'YwAjjUYCngoyL4lJU2O', 'vdTWeMYwF9RFyJCDgJk', 'nKYSsxYgBWbkrK8Q1KB', 'bprJ0sYDyl6ZRNGYScB'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, sddQbAN84ojTWtF6Ru.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'Gq9Ob9PKbS9qIaGARqo', 'H4Vrp6PeQpOQaHP2c8H', 'DjhFGSPZZbe636NJtda', 'dvq688P2aeIZdYtIlnl', 'kEBVc1PueFhvwtAhWpf', 'BpBt8SPX9fF6eoJTLra'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, HofxhdqFyju47Cujp8J.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'YPqfNO4an5nNmuWwdgn', 'VpXolX45hy6HDsdQIcR', 'FtkmOs4TOyW0hFjWW3e', 'XoZ0sC490V7s7ov5D2h', 'b1Urgy40jYheH4YpGSq', 'KtoLtF4BpoI9bKqCC4p'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, MIMpXZJbrQTrkkex3D.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'ND7HCJRap', 'y3l0q5d1HdPGekBBrKi', 'zf4S3kdGVS9xGgJfQud', 'BRf4hCdiqWGrws0F0pm', 'RrTInddlnfWDGiuJwZJ', 'IWnQyMd6MWaUwpo9N1I'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, Yvb1lu5RsMQV1DtfgsP.cs High entropy of concatenated method names: 'xU7aUdh9el', 'Mr2aXhggVF', 'HuJazG7Iy5', 'roNWlDkLmU', 'MUAWqx5rVJ', 'fZ8W52R4ke', 'XN1WA9Vxbj', 'BhiWa0dEkQ', 'MgFWWS8AKO', 'xPeSwhNQAvAkS0YCYPD'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, hRhiFdkOxkqmmhF56Ld.cs High entropy of concatenated method names: 'EPZJYmBR6L', 'pF4JOLfAXs', 'UtqJutBQ13', 'FpbJ2hyWt1', 'uA6JIVR0xW', 'GAbJRJpccJ', 'RyGJm62Koy', 'wWYJvDNdA1', 'nfuJJZOOO9', 'mxmJ3J98Hv'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, EOJ9ZKGJPlirCaPVDfq.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'z5I2OO0pF2', 'STZ2uv991L', 'h0x22OhMe5', 'jdd2IE9Erc', 'O3Q2R06ux3', 't5R2mPKTNX', 'yanj69xTdHMAevTepUC'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, dxVuedA7JCPmZNGYT4Z.cs High entropy of concatenated method names: 'sg9', 'r4bYpak0VG', 'w0apURsFRM', 'oYsY59Ewpt', 'lHyxAQ62578mT933cfX', 'zVrNwa6uA3fwGSuGr9S', 'vGm5716XmZcImKZq8x5', 'V3pkRN6el2YY7KB8Rst', 'bvpZqY6ZB24CJWLAx2L', 'pB0ajq6JbryoG7WCMHl'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, JkhFTLq8bTi9yeQjmBK.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'DiG7TyrL96pbJF6q1bu', 'O8J35nrmEMnedKy9wTS', 'SFOZZ7rQUNV9mQ60aQJ', 'AWMWkJrqiGLSbuJNgGa', 'xpOGCsrWGcS66BctaHX', 'SkrAD5rj9dUIwdRlw6K'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, xFsFQIWXVLgVdQBwq8U.cs High entropy of concatenated method names: 'YQnOIR4guS', 'UrjORFv5dP', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'OhGOmy5fED', '_5f9', 'A6Y'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, temqqpkr7nN2vXng8a.cs High entropy of concatenated method names: 'Bqqxpr7nN', 'ml8ZeeYNwkXSkmHK28', 'ttXuu6M4hypsaheLe5', 'dyBOc4or0yQWTgI9f8', 'thfQ0qh8jhbnBepvsO', 'QXCTLoaQ5fxiawODyg', 'jVQ51SWiU', 'HlrAoatPA', 'vNbaHdvGw', 'dN8WM5HtO'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, ywtHvxqt6UgqBV1XtW6.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'aCsv2vEomjZVGf88nw9', 'gtK5l2EYmU9DLsGwTK4', 'MjZq4cEhbG5PS3VQYMh', 'HGBcS9Ea6ouh9Hf7cDK', 'RQEZgTE5WpVPjIwqflM', 'A8fiQbETq4Wk44ZqhES'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, JrmayhSyadicqfmmYC.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'yFR9KEdjaoF6r5A1P2i', 'Tw0jP8dcBuYJmI1xtd1', 'JMcaHydz4L85UXqTrdt', 'e4YbZ2IsiPHRWMrXV3X', 'J11sLcIy5mdDR0ZA69S', 'fdroEGId8rpOaiETyUJ'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, VCdYXq5XVY0DV63UlMe.cs High entropy of concatenated method names: 'eHvkOOKYiX', 'dxMrD1vXDIfwZNCr9E1', 'Rl4IZPv2eJ0IHWCFpTf', 'yKJ08QvuFXT9H3o7nj7', 'P9uEqPvJJ1nBUZxekKm', 'aWXIsXvLPOTbKCGZ1je', 'AaYkjM4Vcd', 'JTWk6dlXYr', 'O2lkDx1usg', 'Po9ki1NjSD'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, o4OkdjW28m5aNwLRmsm.cs High entropy of concatenated method names: 'c8lYrUeCAD', 'FfDYHJuYA8', 'AJaYKrDQTX', 'zUIY7aOup1', 'm55Yfkrehc', 'sqAo4VTDD05O7urAlIH', 'M2FGEfT7mGuADthwHLr', 'VSmPCcTCdl2Z1p2pLFh', 'aF0Jl5THNko4IPiIlvD', 'uacpOPTUk5myTCm1Kv7'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, EOPNF5qeC3UvtCaWHZZ.cs High entropy of concatenated method names: 'rRm5PWnTR6', 'aRR5VgK4ap', 'nmrdM0EtHUw1lExYSPS', 'Y6O1oSERT2mlsEMJIcE', 'aiji1OEERDoxhg3R4Wu', 'OJ3S1vEA4nV6WAVb23q', 'UfxlS3EpK7qr5BESVJw', 'DQUGBcEb98njeG27hj6', 'Sa1y6DE89WhjvGDitqQ', 'Aa4EMIENGBiYG3H9aLi'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, TWRRH07ZaT9H40nGmj.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'V6TkuknE5ltLZ91rSRU', 'XLGnlOnte9SRyJE8WCP', 'ARPICXnAboWVxoOja4X', 'vIpd2rnpeBs9ejlBfrL', 'cV7gBAnbbrov0CdTOHn', 'vJh6Odn8BuPjTiWuKx9'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KuWaqmWQLySX7rErQeU.cs High entropy of concatenated method names: 'FLsOaLTyhQ', 'eQEOWsGg2H', 'OQCOGnCwnI', 'f5gOkCOsRl', 'Ya9OCfWQ1X', 'OcUOpZgOKh', 'J2LOBWpR0P', 'C1COPRToAd', 'OaiOVPWcRL', 'iEZO9a8tI0'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, phXVCjGOlXGNmL0KhFc.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, uhOOeBqoQ3abp9jiEOU.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'upGEHcr01Bf0G0ahWLa', 'eK0s2brBOWVYp3oAKpm', 'lG3AkJrOBVOZrDQESpX', 'ULFXidrxIaOAcqttf9d', 'PCeX65r3J7X6W8cx0xY', 'vZrXCPrKFhPKDXuy8he'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, VFmXvhUCGMGRa8jMYh.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'w2cvj6Pmd1L4A8JKvXU', 'NL9rvWPQ7fajSRoUf4x', 's4XM2ePqeq3pZaKGPvP', 'vUimYbPW83dJg0pdKY0', 'ONbpf7PjDmOGBsjlQX2', 'or70N2PcDcvaYj4chHE'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KUyNelGnit5aoQboi4N.cs High entropy of concatenated method names: 'K3mAAa3nAZO4dYInmOJ', 'ml6ROf3PiDQe95ZQXZt', 'fYKJX03dxmi5RFtgs2W', 'GfkRT43IWjFfDBw1gLe', 'xfU21AIhXM', 'WM4', '_499', 'wQF2S57hGx', 'inB2ceFwEE', 'jGH2gkvTk0'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, P2YLpeaP0o3fkalbrIY.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, uHfWWVqqwYobmxkTvoJ.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'LrgFFrV1C9PRaLrU1qG', 'YDms1NVGQxpsSumDY8g', 'vQdZpKVijiKRBCutv4C', 'aX9nODVl8ElSFOsykOW', 'ohoh8nV6We3EOjvKjIH', 'QfOuR4VkOQfT73q3dln'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, KZoopqAsCOHlZgkt7Z1.cs High entropy of concatenated method names: '_269', '_5E7', 'vTKYfqbGnP', 'Mz8', 'maJYCSj3GE', 'Sbd6tekJH2E2aygxevd', 'UcwJmqkLHqQGQtegTgi', 'WWWou2kmNy9B3eLSkEM', 'QFV2OYkQ6p0vUdgWxwJ', 'GVRu4Nkqr8XmHEkodou'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, xyJRufW3SOLC23yo3O1.cs High entropy of concatenated method names: 'sE1Y4rR4uQ', 'wONYsthAn8', 'saQYQof65S', 'XYPYNBC0RM', 'WbcYySw2AI', 'e2xYUrKTfR', 'kGhWmET22ihLk7R9Lbv', 'VH7YB8TeBETnRadMH9D', 'pu2O21TZYw3QTYuDd5J', 'YNUW7OTucqbxbTKJ97i'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, YeWvP1kxtYA1bcMuo5E.cs High entropy of concatenated method names: 'i97Xqee74fP01gqmUUi', 'XsDpdKeCePPkBKxFbfI', 'mYBwojewOJxNqTWsOCq', 'cBbSgGegSNmyqW8qXOd', 'LhFJoCLL5y', 'qqNsr6eUTtFJesLLEmw', 'xrYlNreMnKL6QSe755y', 'kN5fBWeonGkaWwgi1mn', 'wd1SkdeYhXZPUq1PvnH', 'qSX0fEehTyxMAKBeOYC'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, cdUXoeb8agJWIZB4gk.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'fbNNHVnSjNroKlhtS2g', 'xCPsEenvuYLxZr82nCM', 'Vfnq92n1nkSSA6Am72r', 'bEYlFBnGyRNJqZpPWxw', 'lHF9cXnidBJMIXiaqF0', 'BmK3LHnlp5p0lhmbhw2'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, aoan0laUcKy9OFrFfeC.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, uAnvdgaNDr5V29lh6qD.cs High entropy of concatenated method names: 'FrA0OX3Pri', 'cAp02ZQi7A', 'tF00x3w6cs', 'K3P0o9WJeq', 'CBA00M9qVn', 'ddp0864qn1', 'up10wEI5GK', 'CGq0EG3rKM', 'DNu0jcEjYF', 'SWl06kQVXR'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, USa03AGMwBgddTCKYsG.cs High entropy of concatenated method names: 'E8XmdM3Bga', '_1kO', '_9v4', '_294', 'tM9mFDIgLD', 'euj', 'duEmYVXQTl', 'Lr7mOjCJDI', 'o87', 'eI5muubVA8'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, qYkQ3Ya92hWVoWiEWfR.cs High entropy of concatenated method names: 'Yu6VSSIDHA', 'VSYVcdrMpr', 'kOFVgsFQIV', 'OgVVrdQBwq', 'pUfVHLDFij', 'YU0ZX6gcLHb6LPOiEQc', 'NOZ0trgzSYiP5np7Tni', 'srlDetgWLHcdS3uxFoC', 'pFdymDgjeFNPOC84pU4', 'UUeb0v7sSQ2ZIkovB1o'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, oSYcZ2qPCgtBmAFMtME.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'jNYS6Gr18Lt5xrca1x3', 'gtL4NrrGneAcliHB3U9', 'xS9WFSriFY0ExgetKPF', 'FOnU1JrlKnZiKDwD7tI', 'CPC9qAr6ZR099CsUZZP', 'U59xsurk1Et8tsYSFb9'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, YVOvHbapeiRbuNCAreu.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, XGKZXQGGmXBKKXQeq2O.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.7FErKDnzhp.exe.4ffe523.1.raw.unpack, mSDZSUW1GtZvrO2s7IK.cs High entropy of concatenated method names: 'mtfOlJx3f7', 'jaORhVTWfx2UiSchRCe', 'eniNnRTQK7DyCRjyQw2', 'xW20eETqHD4UxoHjtEj', 'TvIAAiTjfCTHuocc9BI', 'd483rGTcE3NVl0J6eP5', 'xg1cF1TzgA2kbpo5mbQ'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\containercrt\Hyperblock.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files with benign system names
Source: C:\containercrt\Hyperblock.exe File created: C:\Recovery\dwm.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\containercrt\csrss.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Windows\ShellNew\explorer.exe Jump to dropped file
Drops PE files
Source: C:\containercrt\Hyperblock.exe File created: C:\containercrt\dcvkQEwWwyGFQ.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Recovery\dwm.exe Jump to dropped file
Source: C:\Users\user\Desktop\7FErKDnzhp.exe File created: C:\containercrt\Hyperblock.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Recovery\SystemSettings.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dcvkQEwWwyGFQ.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\containercrt\csrss.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Program Files\Windows Multimedia Platform\MoUsoCoreWorker.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Recovery\dcvkQEwWwyGFQ.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Windows\ShellNew\explorer.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe Jump to dropped file
Source: C:\containercrt\Hyperblock.exe File created: C:\Users\Default\Favorites\OfficeClickToRun.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\containercrt\Hyperblock.exe File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\containercrt\Hyperblock.exe File created: C:\Windows\ShellNew\explorer.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\containercrt\Hyperblock.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\containercrt\Hyperblock.exe Memory allocated: 11B0000 memory reserve | memory write watch Jump to behavior
Source: C:\containercrt\Hyperblock.exe Memory allocated: 1AE10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Memory allocated: C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Memory allocated: 1A830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Memory allocated: 1090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Memory allocated: 1AB90000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\containercrt\Hyperblock.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\containercrt\Hyperblock.exe Window / User API: threadDelayed 1546 Jump to behavior
Source: C:\containercrt\Hyperblock.exe Window / User API: threadDelayed 376 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Window / User API: threadDelayed 367 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\containercrt\Hyperblock.exe TID: 7228 Thread sleep count: 1546 > 30 Jump to behavior
Source: C:\containercrt\Hyperblock.exe TID: 7228 Thread sleep count: 376 > 30 Jump to behavior
Source: C:\containercrt\Hyperblock.exe TID: 7204 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe TID: 8028 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe TID: 7712 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe TID: 7664 Thread sleep count: 367 > 30 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe TID: 7920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\containercrt\Hyperblock.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_002AA5F4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_002BB8E0
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BDD72 VirtualQuery,GetSystemInfo, 0_2_002BDD72
Source: C:\containercrt\Hyperblock.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000001.00000003.1678987129.00000000030BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000001.00000003.1678987129.00000000030BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 7FErKDnzhp.exe, 00000000.00000003.1604192996.0000000002C83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: Hyperblock.exe, 00000004.00000002.1723037375.000000001C200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
Source: C:\Users\user\Desktop\7FErKDnzhp.exe API call chain: ExitProcess graph end node
Source: C:\containercrt\Hyperblock.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002C866F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C753D mov eax, dword ptr fs:[00000030h] 0_2_002C753D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002CB710 GetProcessHeap, 0_2_002CB710
Enables debug privileges
Source: C:\containercrt\Hyperblock.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BF063 SetUnhandledExceptionFilter, 0_2_002BF063
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_002BF22B
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002C866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002C866F
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002BEF05
Source: C:\containercrt\Hyperblock.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\containercrt\focLwcgbbqM4pqsNJntFjNFiUvJ.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\containercrt\jVeL3.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\containercrt\Hyperblock.exe "C:\containercrt\Hyperblock.exe" Jump to behavior
Source: C:\containercrt\Hyperblock.exe Process created: unknown unknown Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BED5B cpuid 0_2_002BED5B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_002BA63C
Queries the volume information (name, serial number etc) of a device
Source: C:\containercrt\Hyperblock.exe Queries volume information: C:\containercrt\Hyperblock.exe VolumeInformation Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Queries volume information: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe Queries volume information: C:\Users\Default\Links\dcvkQEwWwyGFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002BD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_002BD5D4
Source: C:\Users\user\Desktop\7FErKDnzhp.exe Code function: 0_2_002AACF5 GetVersionExW, 0_2_002AACF5
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 0000001A.00000002.1842577492.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.1842577492.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718350634.0000000003334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1830774162.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718350634.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Hyperblock.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dcvkQEwWwyGFQ.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dcvkQEwWwyGFQ.exe PID: 7568, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 0000001A.00000002.1842577492.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.1842577492.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718350634.0000000003334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1830774162.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718350634.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Hyperblock.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dcvkQEwWwyGFQ.exe PID: 7532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dcvkQEwWwyGFQ.exe PID: 7568, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436346 Sample: 7FErKDnzhp.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Antivirus detection for dropped file 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 11 other signatures 2->56 9 7FErKDnzhp.exe 3 6 2->9         started        12 dcvkQEwWwyGFQ.exe 3 2->12         started        15 dcvkQEwWwyGFQ.exe 2 2->15         started        process3 file4 44 C:\containercrt\Hyperblock.exe, PE32 9->44 dropped 46 C:\...\focLwcgbbqM4pqsNJntFjNFiUvJ.vbe, data 9->46 dropped 17 wscript.exe 1 9->17         started        66 Multi AV Scanner detection for dropped file 12->66 signatures5 process6 signatures7 48 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->48 20 cmd.exe 1 17->20         started        process8 process9 22 Hyperblock.exe 1 28 20->22         started        26 conhost.exe 20->26         started        file10 36 C:\containercrt\dcvkQEwWwyGFQ.exe, PE32 22->36 dropped 38 C:\containercrt\csrss.exe, PE32 22->38 dropped 40 C:\Windows\ShellNew\explorer.exe, PE32 22->40 dropped 42 9 other malicious files 22->42 dropped 58 Antivirus detection for dropped file 22->58 60 Multi AV Scanner detection for dropped file 22->60 62 Machine Learning detection for dropped file 22->62 64 3 other signatures 22->64 28 schtasks.exe 22->28         started        30 schtasks.exe 22->30         started        32 schtasks.exe 22->32         started        34 26 other processes 22->34 signatures11 process12
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://a0949002.xsph.ru/@=ITN0YzM4ETM false
    		high