Windows Analysis Report
e8RKyR4TEM.exe

Overview

General Information

Sample name: e8RKyR4TEM.exe
renamed because original name is a hash value
Original sample name: 56f465f72c1d03714aa6cedadcee54f1.exe
Analysis ID: 1438233
MD5: 56f465f72c1d03714aa6cedadcee54f1
SHA1: 15c128e34eba74fc9d49333eec77a9af8dbf2b35
SHA256: f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780
Tags: DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: e8RKyR4TEM.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files\Windows Defender\en-US\conhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\msDriverSessionHost\chainProvider.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\OneDrive\WinStore.App.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\j7xKo0hZ28.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Found malware configuration
Source: 00000019.00000002.1797847188.0000000002F71000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"y\":\"%\",\"9\":\";\",\"0\":\"|\",\"N\":\"*\",\"A\":\"~\",\"6\":\"#\",\"L\":\" \",\"Q\":\"(\",\"h\":\",\",\"M\":\">\",\"J\":\"&\",\"I\":\".\",\"w\":\"^\",\"d\":\"-\",\"C\":\"@\",\"U\":\"_\",\"W\":\"$\",\"m\":\"!\",\"i\":\"`\",\"e\":\")\",\"4\":\"<\"}", "PCRT": "{\"w\":\".\",\"Q\":\"#\",\"M\":\"@\",\"l\":\")\",\"=\":\" \",\"0\":\";\",\"i\":\"`\",\"I\":\"<\",\"y\":\"!\",\"b\":\"*\",\"S\":\",\",\"6\":\"-\",\"c\":\"~\",\"p\":\"(\",\"j\":\"_\",\"X\":\"$\",\"e\":\"^\",\"x\":\">\",\"f\":\"&\",\"D\":\"%\"}", "TAG": "", "MUTEX": "DCR_MUTEX-lxnfQDJbv9Qq093mzPE3", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0944507.xsph.ru/@==gbJBzYuFDT", "H2": "http://a0944507.xsph.ru/@==gbJBzYuFDT", "T": "0"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Program Files (x86)\Common Files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\Common Files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Program Files (x86)\Mozilla Maintenance Service\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\Mozilla Maintenance Service\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Program Files\Windows Defender\en-US\conhost.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Defender\en-US\conhost.exe Virustotal: Detection: 78% Perma Link
Source: C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe Virustotal: Detection: 78% Perma Link
Source: C:\Recovery\RuntimeBroker.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\RuntimeBroker.exe Virustotal: Detection: 78% Perma Link
Source: C:\Recovery\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Recovery\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Users\Default\OneDrive\WinStore.App.exe ReversingLabs: Detection: 87%
Source: C:\Users\Default\OneDrive\WinStore.App.exe Virustotal: Detection: 78% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Virustotal: Detection: 58% Perma Link
Source: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Windows\ShellComponents\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Windows\ShellComponents\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\Windows\SystemApps\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\Windows\SystemApps\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Source: C:\msDriverSessionHost\RuntimeBroker.exe ReversingLabs: Detection: 87%
Source: C:\msDriverSessionHost\RuntimeBroker.exe Virustotal: Detection: 78% Perma Link
Source: C:\msDriverSessionHost\chainProvider.exe ReversingLabs: Detection: 87%
Source: C:\msDriverSessionHost\chainProvider.exe Virustotal: Detection: 78% Perma Link
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe ReversingLabs: Detection: 87%
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Virustotal: Detection: 78% Perma Link
Multi AV Scanner detection for submitted file
Source: e8RKyR4TEM.exe ReversingLabs: Detection: 94%
Source: e8RKyR4TEM.exe Virustotal: Detection: 89% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files\Windows Defender\en-US\conhost.exe Joe Sandbox ML: detected
Source: C:\msDriverSessionHost\chainProvider.exe Joe Sandbox ML: detected
Source: C:\Recovery\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Users\Default\OneDrive\WinStore.App.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Source: C:\Recovery\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: e8RKyR4TEM.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: e8RKyR4TEM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\b49250d0ebe870 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Defender\en-US\conhost.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Defender\en-US\088424020bedd6 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Media Player\b49250d0ebe870 Jump to behavior
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: e8RKyR4TEM.exe
Source: Binary string: c2c04224-30ca-4b4c-a9c1-5861ee78750d<Module>NerestPC_changer.Form1.resourcesNerestPC_changer.start.resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.guna.ui2.dll.compressedcostura.memory.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.metadataNerestPC_FREE_sh7lP4Tk4P7SNfypH1bmc9DaxAqihcUAmNN6KzeJf2sVeScMSe9.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resourcesNerestPC_changer.Properties.Resources.resources source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed8 source: Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_0058A5F4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_0059B8E0
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://a0944507.xsph.ru/@==gbJBzYuFDT
Yara detected Generic Downloader
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab53b00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b04f1f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b3ab7d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2873408894.000001AB53B00000.00000004.08000000.00040000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: chainProvider.exe, 00000007.00000002.1694520056.00000000034DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Free_changer_fix.exe, 00000001.00000002.2876768367.000001AB54E42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/
Source: Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/api/licensing.php
Source: Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/pricing

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: e8RKyR4TEM.exe, type: SAMPLE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 2_2_0058718C
Creates files inside the system directory
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\ShellComponents\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\ShellComponents\b49250d0ebe870 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\SystemApps\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\SystemApps\b49250d0ebe870 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9BB79BB2 1_2_00007FFD9BB79BB2
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9BB71974 1_2_00007FFD9BB71974
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9BB76920 1_2_00007FFD9BB76920
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9BB738BA 1_2_00007FFD9BB738BA
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058857B 2_2_0058857B
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058407E 2_2_0058407E
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005AD00E 2_2_005AD00E
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005970BF 2_2_005970BF
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005B1194 2_2_005B1194
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A02F6 2_2_005A02F6
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00583281 2_2_00583281
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058E2A0 2_2_0058E2A0
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00596646 2_2_00596646
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A070E 2_2_005A070E
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A473A 2_2_005A473A
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005937C1 2_2_005937C1
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005827E8 2_2_005827E8
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058E8A0 2_2_0058E8A0
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058F968 2_2_0058F968
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A4969 2_2_005A4969
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00596A7B 2_2_00596A7B
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00593A3C 2_2_00593A3C
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A0B43 2_2_005A0B43
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005ACB60 2_2_005ACB60
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00595C77 2_2_00595C77
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00593D6D 2_2_00593D6D
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058ED14 2_2_0058ED14
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059FDFA 2_2_0059FDFA
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058DE6C 2_2_0058DE6C
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058BE13 2_2_0058BE13
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A0F78 2_2_005A0F78
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00585F3C 2_2_00585F3C
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E33B4 7_2_00007FFD9B8E33B4
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E2135 7_2_00007FFD9B8E2135
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8EA87D 7_2_00007FFD9B8EA87D
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8EAC7D 7_2_00007FFD9B8EAC7D
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E2B20 7_2_00007FFD9B8E2B20
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E2C50 7_2_00007FFD9B8E2C50
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8EC6B0 7_2_00007FFD9B8EC6B0
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8EAE58 7_2_00007FFD9B8EAE58
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E9E4D 7_2_00007FFD9B8E9E4D
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8EACFD 7_2_00007FFD9B8EACFD
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E2C50 7_2_00007FFD9B8E2C50
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B9033B4 22_2_00007FFD9B9033B4
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B902135 22_2_00007FFD9B902135
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B902B20 22_2_00007FFD9B902B20
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B902C50 22_2_00007FFD9B902C50
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B90C6B0 22_2_00007FFD9B90C6B0
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B902C50 22_2_00007FFD9B902C50
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8D3555 25_2_00007FFD9B8D3555
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: String function: 0059E360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: String function: 0059ED00 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: String function: 0059E28C appears 35 times
PE file contains executable resources (Code or Archives)
Source: e8RKyR4TEM.exe Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Source: e8RKyR4TEM.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
PE file does not import any functions
Source: Free_changer_fix.exe.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: e8RKyR4TEM.exe, 00000000.00000000.1614105143.0000000000408000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNerestPC changer.exeB vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe, 00000000.00000000.1614105143.0000000000408000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe, 00000000.00000003.1620961045.0000000002669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe, 00000000.00000002.1623468060.00000000009E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNerestPC cha vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe, 00000000.00000003.1619227029.0000000002666000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNerestPC changer.exeB vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe Binary or memory string: OriginalFilenameNerestPC changer.exeB vs e8RKyR4TEM.exe
Source: e8RKyR4TEM.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs e8RKyR4TEM.exe
Uses 32bit PE files
Source: e8RKyR4TEM.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: e8RKyR4TEM.exe, type: SAMPLE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, MsNMv9syoTVwjeSfLjV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, MsNMv9syoTVwjeSfLjV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, cM7TrW7vKpr8B50h7OK.cs Cryptographic APIs: 'TransformBlock'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, cM7TrW7vKpr8B50h7OK.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, MsNMv9syoTVwjeSfLjV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, MsNMv9syoTVwjeSfLjV.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, cM7TrW7vKpr8B50h7OK.cs Cryptographic APIs: 'TransformBlock'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, cM7TrW7vKpr8B50h7OK.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@47/39@0/0
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00586EC9 GetLastError,FormatMessageW, 2_2_00586EC9
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_00599E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 2_2_00599E1C
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Mutant created: NULL
Source: C:\msDriverSessionHost\chainProvider.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\13a278982d530f9b35a18124d9bd2b80fe3d49e1
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe File created: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" "
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Command line argument: sfxname 2_2_0059D5D4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Command line argument: sfxstime 2_2_0059D5D4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Command line argument: STARTDLG 2_2_0059D5D4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Command line argument: xj] 2_2_0059D5D4
Source: e8RKyR4TEM.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e8RKyR4TEM.exe ReversingLabs: Detection: 94%
Source: e8RKyR4TEM.exe Virustotal: Detection: 89%
Source: unknown Process created: C:\Users\user\Desktop\e8RKyR4TEM.exe "C:\Users\user\Desktop\e8RKyR4TEM.exe"
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe "C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe"
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe "C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe"
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\msDriverSessionHost\chainProvider.exe "C:\msDriverSessionHost\chainProvider.exe"
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 9 /tr "'C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 5 /tr "'C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 5 /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 12 /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 8 /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 9 /tr "'C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OneDrive\WinStore.App.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.App" /sc ONLOGON /tr "'C:\Users\Default User\OneDrive\WinStore.App.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WinStore.AppW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OneDrive\WinStore.App.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\common files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnB" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\common files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe'" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe "C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe" Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe "C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\msDriverSessionHost\chainProvider.exe "C:\msDriverSessionHost\chainProvider.exe" Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: version.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: wldp.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: profapi.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: amsi.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: userenv.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: propsys.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: edputil.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: netutils.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: slc.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: sppc.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: mscoree.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: apphelp.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: kernel.appcore.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: version.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: uxtheme.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: windows.storage.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: wldp.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: profapi.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: cryptsp.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: rsaenh.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: cryptbase.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: mscoree.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: kernel.appcore.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: version.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: uxtheme.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: windows.storage.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: wldp.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: profapi.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: cryptsp.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: rsaenh.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: cryptbase.dll
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\b49250d0ebe870 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Defender\en-US\conhost.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Defender\en-US\088424020bedd6 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Directory created: C:\Program Files\Windows Media Player\b49250d0ebe870 Jump to behavior
Source: e8RKyR4TEM.exe Static file information: File size 3961344 > 1048576
Source: e8RKyR4TEM.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3c5000
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: e8RKyR4TEM.exe
Source: Binary string: c2c04224-30ca-4b4c-a9c1-5861ee78750d<Module>NerestPC_changer.Form1.resourcesNerestPC_changer.start.resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.guna.ui2.dll.compressedcostura.memory.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.metadataNerestPC_FREE_sh7lP4Tk4P7SNfypH1bmc9DaxAqihcUAmNN6KzeJf2sVeScMSe9.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resourcesNerestPC_changer.Properties.Resources.resources source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, Free_changer_fix.exe, 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed8 source: Free_changer_fix.exe, 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, MsNMv9syoTVwjeSfLjV.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, MsNMv9syoTVwjeSfLjV.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij System.AppDomain.Load(byte[])
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij System.Reflection.Assembly.Load(byte[])
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij System.AppDomain.Load(byte[])
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij System.Reflection.Assembly.Load(byte[])
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ie6boCanxCVHQ3oDcme.cs .Net Code: b4IUSHdbij
Yara detected Costura Assembly Loader
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b26b798.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b26b798.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b3ab7d0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab53a20000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab53a20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b04f1f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Free_changer_fix.exe.1ab4b3ab7d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2860727016.000001AB4B04F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2872356281.000001AB53A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2860727016.000001AB4B3AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2853964279.000001AB3B043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e8RKyR4TEM.exe PID: 5320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Free_changer_fix.exe PID: 5104, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: Free_changer_fix.exe.0.dr Static PE information: 0xCE2226AD [Fri Aug 4 03:17:01 2079 UTC]
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe File created: C:\msDriverSessionHost\__tmp_rar_sfx_access_check_6900718 Jump to behavior
PE file contains sections with non-standard names
Source: grunge cheat softwsre 0.28.4.exe.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BD2A5 pushad ; iretd 1_2_00007FFD9B7BD2A6
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BF3DF push ebp; retf 1_2_00007FFD9B7BF3EA
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BE634 push ds; iretd 1_2_00007FFD9B7BE636
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BE589 push ds; iretd 1_2_00007FFD9B7BE5CA
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BF455 push ebp; retf 1_2_00007FFD9B7BF456
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B7BE715 push ds; retf 1_2_00007FFD9B7BE716
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B8D49F8 push ds; iretd 1_2_00007FFD9B8D49F9
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B8D55BB push ebp; ret 1_2_00007FFD9B8D55C2
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9B8D49BF push ebx; iretd 1_2_00007FFD9B8D49C4
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Code function: 1_2_00007FFD9BB76604 push edi; retf 1_2_00007FFD9BB76608
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059E28C push eax; ret 2_2_0059E2AA
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059ED46 push ecx; ret 2_2_0059ED59
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E818B push ecx; ret 7_2_00007FFD9B8E8191
Source: C:\msDriverSessionHost\chainProvider.exe Code function: 7_2_00007FFD9B8E75A2 push edx; iretd 7_2_00007FFD9B8E75A8
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B90818B push ecx; ret 22_2_00007FFD9B908191
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 22_2_00007FFD9B9075A2 push edx; iretd 22_2_00007FFD9B9075A8
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8E54E4 push E8FFFFFFh; ret 25_2_00007FFD9B8E54E9
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8D818B push ecx; ret 25_2_00007FFD9B8D8191
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8D75A2 push edx; iretd 25_2_00007FFD9B8D75A8
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8DDFD5 push ebp; retf 25_2_00007FFD9B8DDFD8
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Code function: 25_2_00007FFD9B8DE10D push edi; retf 25_2_00007FFD9B8DE10E
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, bDUa3TaecqMKYg1r8l0.cs High entropy of concatenated method names: 'DZ4aCTjkah', 'N54RBtv93qqcxBSNh2c', 'oRHynEvwsU80w3WmWvj', 'VVttO8vDLxLmyafAa42', 'DmHs8SvqCk7BsEnY713', 'm1wnumv4l69nWGcifMh', 'AeGacAHS5F', 'sASalrpQ9i', 'dikav9A8ST', 'JnraNiKh9P'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, eGYy3mSisC9WRIlbbHZ.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'TCwCTiZZC0', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, h6bDvwuj3SikS4DLsvS.cs High entropy of concatenated method names: 'YuPo47Ki11', 'eCkoofTZs6', 'mukoUaIqQP', 'FLM27xjqAdMNvXsNMD9', 'OPbtyTj4UgSSdyoIAuU', 'yKcqNejDH6uYZhqhinS', 'X0R0QZj9kgKLwSR5792', 'eXGCDsj7NqiimOUFhgL', 'nmq8HhjWqjW0AAqLFUQ', 'kot4IEjbXlQecaVvPIg'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, zxUJf0a3lWCGeqqEMX2.cs High entropy of concatenated method names: 'TXHUyQWFQM', 'jI3UEx9Ntc', 'h73JT5PRGYON9Z7ydL4', 'XVtuQePx8n7F0FC5Gxj', 'bblJyuPHlggsrp9KRTO', 'FyQ6KyPmbB4uhZVnpWd', 'fF2EQTPy9C1i4vBdOIQ', 'arX9NEPuqQPx3IBEcuj', 'FVVkg7P5e7Hax9yevtN', 'R58X9FPaL7eJHgm9Bhs'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, tdbGyWSou2GPhrK34sM.cs High entropy of concatenated method names: 'IqDIQT4mUf', 'wlXIgIDnSo', 'wIVIJDc64c', 'v37IixVp5e', 'YSvI9Fvsck', 'MjaIybhs0V', 'etHBMuVwxsxAqxeC8ix', 'fPFkX1VIc6HBvdC6DDT', 'mRFYvsVU6GBPgiReRTV', 'sWPeJpVDnCx5JiTwSfD'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, gK5cKi7LNW4j0BG50Df.cs High entropy of concatenated method names: 'PZglJU1JxXeQaOcwgj4', 'YTaSs61YT0Hs7SixJWx', 'YXsUcr16AidPVvtYfAB', 'RETOoE1ByDwkbyYaLbc', 'iC6LRIeNBR', 'WM4', '_499', 'kmuLh0aDaG', 'Ru7Lu2tRvw', 'eDVLnkvey8'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, jMjmxPuIrQbewUwArSI.cs High entropy of concatenated method names: 'KPA4yBnIq5', 'LjyftvjVqh60UuTJZFj', 'LqaY4ajAQldLI6gOSt6', 'U0RNMWjQSOKnLotJ1Vb', 'oitwSojfTyJ9sG2P6HI', 'cC9SBYjTELLDs76p2qy', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Jm0NETupYyLVv7pLBIL.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'wYYTbJNkvMZpt0Rmjuj', 'gqpMecNrFLMscafa1FM', 'nMcfvDN6QImgNxMdKgZ', 'mXS5xbNBYpf9AW34SUf', 'qZEb6aNJARKHPeyAEq3', 'XEThp7NYFsU6rHJeS7Y'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, BIAGSIbAd5HCMUM2V2.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'zvQsO1YSN07FwIYMxgf', 'O1S4L0YIpYvSjwmOBNx', 'GtBttnYUxJXESQZylSa', 'iwJXcqYwwyd3Ksmeroe', 'Y97gGOYDcRlub9GuST0', 'BLcB74Y9peMnJiO41Eo'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, N9WtwvSeeoVIVFBpG9O.cs High entropy of concatenated method names: 'xCVC13RNFG', 'ELvC73KQLe', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'S27C8ONGOD', '_5f9', 'A6Y'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, QlsCw8Jbq6Zn0cGmg5P.cs High entropy of concatenated method names: 'k1o6hh5VWWcceu7lXnc', 'JMPalw5A3vB1ri3UP4I', 'oq6etn5Q7Dqs3wwE0r3', 'yj3nnK5fxKpqUHhn88V', 'IWF', 'j72', 'ngB3fcJuRn', 'xqt3rmHqAv', 'j4z', 'Hbi3cfyqTE'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, lcKOSkWhG3WCN4k2I6.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'XQAucrJO5Cont2jgSpn', 'dQQJLNJ3IyBEmg6P1W7', 'lGGAMLJs8WyUEm2Ji5Z', 'fD7wsFJcNy9wP993euD', 'vniGKPJPJk8xigTIG5P', 'jrVV3cJiklpuyg9R7eG'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, LAbAraJCt1l63FRwRQL.cs High entropy of concatenated method names: '_223', 'ATsDJJHZe77g29v3mjU', 'VOrHC7HvIwpWw8m5RwN', 'FM7B0QHROBa3X9mbUdt', 'JyScvOHxP3yUT0GA5Vf', 'pNlRZDHH81rxvfR0naR', 'WGUpexHm4buudVYW0Jp', 'amKl6rHyUtU37Cllf8B', 'FHMxgcHudHI8Ge8jwtS', 'FeYFUmH5mlhYaa0u2od'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, CE0htPuPKYX1gfsGPpE.cs High entropy of concatenated method names: 'CP2oXLp5um', 'vQAo24HcAS', 'FRCS92O3L5aaElywelC', 'VGMsEjOjbixrtLeG6gn', 'oWTsVeOOCAutWV1FYrJ', 'jArlCFOsp9X95JLeDwH', 'MM1gg4OchYATUlA573g', 'F6uNebOPGFZ6mgN3P6u', 'BLQ4cuOiVVm6unDhJb8', 'kEUokCO0wrp2C4cIwrT'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, RlAmSxJzO9JaFuIWIuD.cs High entropy of concatenated method names: 'lrB31aHud2', 'NN3372RF2K', 'MNb38X5JVj', 'K9iOlg5niwrS5mxEVcy', 'V302v25dyujanDlMKgB', 'oFfl705TiHsNrb5qHrw', 'Me01UO5ofmVfK7NgGuQ', 'QwcNUP51qZsSH5aBFWN', 'x34aun5S1xuojedbBZK', 'FqG6oe5IKTUjcwoRjKi'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, e88daEaaug5j44ZGlrr.cs High entropy of concatenated method names: 'mXwomd2rMq', 'IE1oKhoF17', 'sKqodI1Jkf', 'OLnoja6JMc', 'OHUoQldDM0', 'BgIogMWyhC', 'GcCJEGsZKBpYR2NnTnv', 'tL4AxwsvjCaDpFJBXO9', 'L14Xghs0ihoyfmVWSVo', 'is0q5dsFEUmmIGQeMs0'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Xpip1xfIJmNHrNL4pR.cs High entropy of concatenated method names: 'kKVILv14f', 'VmRCDBNtg', 'InCDM6ix5', 'q0JLQ8mKi', 'aYX129cId', 'Fn47ptuCs', 'EyU8huNMO', 'KyeAL8rNWVQVcgwE3Zg', 's3pYsBr2i14hMsl8krm', 'FM5OHqrjbYEak4WkY2x'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, TyOMuSJu9bRC3u7e8jp.cs High entropy of concatenated method names: 'P8Ea8ffeNY', 'iwOaw64cBs', 'WICats4Z0O', 'svBaOFYEbv', 'DCvWuivzQiWvxm4gaKK', 'vCFpTDvXIbU8VGtCdA0', 'HITvocvtpDlrMIcp9iY', 'ouSeEuRkUmaCfd9VP3C', 'qpVbq1Rr1HYmDh7AuXG', 'MI4XkXR6ypQrwU3OHhw'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, RDoobhSxkgibyQrvnbY.cs High entropy of concatenated method names: 'HdJI5u4uAp', 'nbGIpPFUaM', 'SWnIARjvyr', 'ia1IHpY0yo', 'BPJIBgPPua', 'eDE43YVhSybYqCrEm1w', 'BHAMNOVpsADuHvOq1AP', 'PC7uyuVGWNPNRU1Kyny', 'vGhFJlVKQ8Lu6yTIjjh', 'gQCq83V8W5WNyaja3ik'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, IfFAqjaIf6jQPxAWGPR.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'WcoMRQo1gF', 'YtLMhAoEj5', 'dVBMu5ClP9', 'FMAMnVlSVR', 'jRmM5KbRDb', 'bEIDR1Z2Wqswsnb7KRg', 'FFXi2MZjPw7sgakSsTf', 'R0SqQpZlmT5OUVkvY2S'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, sKG87XuKkLYXWwPFAbY.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NJhsy9l4YoOhPEpAjOH', 'qDpqAhl7OaiSWx9waF7', 'QkbyVXlWBDrglNItbaj', 'CKuT2qlbDCN2SIOx4vC', 'fjk5Iqlgj0BxrjMqPDr', 'xwx4XVlX3bhQt2aEj3V'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, leP6m5JPVHsyI4AuxAc.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'TbQ9q3CqCh', 'W9K3sWPXgM', 'X6W9dqeWQR', 'tZG1qOuchhHo8T6f7oc', 'ySndifuPZmpbDJyP6uX', 'p6PfRVuiLQkJraiquU8', 'wjhZuYu0Wk64h28a6UE', 'PBcYGFuFb1xYDnCWlEm'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, HJPcxauxttUeh16misE.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'OeHkilNtbdO2Mop24C0', 'ChHRfUNz4iirwPMVt0r', 'w4cUDo2kEqo0vjKsL2R', 'FYILs92rAcTKa9E1tYC', 'Ofgyxl26SQtWi2Q0A0x', 'LGChJX2BMCAE3dbTfP4'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, GVV0We9f8PeuTW2ySQ.cs High entropy of concatenated method names: 'TWJR85GBd', 'sKbh84xqw', 'tRGuJBpsy', 'fIAeQarAigwL9ZMsLuo', 'cQ9XlorfOxRKveb05Dt', 'HlY255rVyLbMhR4D1EH', 'nd34bhrTiouV5kGhmKF', 'Lvoerqrot7NG08UgUnj', 'no8ExjrnimU32VpE3av', 'rUluuirdFkwfcWJenrB'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, xxbjEjuEgUdeqKXQfuE.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'YOYVLGODbpSWMrCVlWs', 'trDegwO9V1e9hwEpDu2', 't78b5WOq9u65dVDH7Ev', 'FVoSZyO4sqannRDskmX', 'ktiZOcO7RyjA7CUmREA', 'ONrgxBOWIMqKlPhQl9E'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, CY76Z0uSY3M8X1UOoE3.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'badXHJeI5LFdQnp5H4V', 'gKbKPpeUcI9xwXsVrdF', 'LaMvmsewYlW2Q96CJ26', 'fhmdTKeDqyInJd63FvX', 'g0U5YIe9XNKlhLky6cn', 'sAwuDWeqs7uY4b5smwQ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, aQRZXvJhtXT3mvVgtHT.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'TItgV4ycTCXIyGq1K9S', 'Xb0jrjyPjv9oisPkL22', 'PtJ92kyiDU3n9ghrNZv', 'rZYkHYy0nyMVkaJOwTs'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, AYgARvuCk3pDHw7y44w.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'y8Acb0lGukeUH0UViUG', 'QRcLuplhHw6c0QDXXyU', 'Q9AN2slKGgWib7F4XMQ', 'e5C5agl82RjNrwRYEd8', 'fVaX7DlMTibmK1VXdu0', 'fIpZBjlCW6PiBlKHl2G'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, kolpP6uh00hSSCDRXjt.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'iuwwOIN5xgxjOebWt5M', 'jxYdXZNa3XZaaK1Y8Y3', 'XuIRnhNpIlmYYrOPI7W', 'wtT0yENGhKWrDAnQ5wF', 'mOukLJNhontrK6vJ7u3', 'axe5QWNKiYc6xldV7BV'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, tj7u7Sub6VjxcJ4bcht.cs High entropy of concatenated method names: 'Yt9olJFYbg', 'wylUrt3eKgmjFOu8kjF', 'AKjYoT3lslmsEkhkFcd', 'aMZsUE3JAMI67WtMFh8', 'l4Dw7c3YIyFkvds7EyJ', 'BNonS03NnGu7uBF8cxj', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, MsNMv9syoTVwjeSfLjV.cs High entropy of concatenated method names: 'j4HSMYIptiTbWVwAbHq', 'kQ50IPIG5gYIRiQYaAj', 'cWyFhZI51PEK9BPa9do', 'thRHkQIa9wEQneNRe3d', 'GZ1tSerW1T', 'oLooyII8QACCLwyKSQD', 'CrPTIDIMxnoaG0MlPIb', 'QsL0DxICtXOaAhyr2u3', 'lD0ADGIE3q8W50uATgg', 'UkXOQ4IL04w3xx8H1bS'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, gRsUpHueIEoBsXHr0uc.cs High entropy of concatenated method names: 'M7koGZiDWs', 'UYioTt4mBe', 'EiKoIoyGB6', 'oegaW33OwBmRxVGmvvi', 'e7arNh32fkghv2jMDU5', 'ufsrgj3jBuaUg0Bcag7', 'iv77sO33SIFnFImMIiy', 'cIIpwx3s0VtAUm0iBjf', 'L2IC5G3cfFdne3WLHlh', 'X6XYVr3PwZhl1S5Gtn4'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, NDKTtjun58hmOFYYEGh.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'oXPRMsllPgpmXRlCsih', 'IuaeUxlNZx3CyS9Xigv', 'OwtXvIl2wpewYRs27d3', 'IEyRn2ljR5H3EqCquY7', 'uJMH96lOOpKmFJxeiuI', 'zxZ7vgl3FDXXNfJLkXJ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, H2qUBJA340wTasJ8HGU.cs High entropy of concatenated method names: 'zqQxsiqrmr', 'umTxModbZZ', 'CJhx0eyxYa', 'iCTgt1pFx0dDu5BhiMk', 'Q0Sr22pZn5ODQytXbl2', 'tPdPRrpiCJdRrPlHaQ4', 'ISgnnlp0xVtHeoMuoke', 'BiCSkLpvSjRqHeRteK8', 'B6IfV4pRjpw9otJXuPb', 'UpbyDcpxEXXKUrRcrJu'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, wLZmPf4gWyTLyCJ4FY.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'lq5UudY7rZe1vHnvTu2', 'WxFK3yYW6bCNZ9cEI66', 'yVFx2VYby832PmiUsAd', 'jU2tNSYgoJbGwlb5LKY', 'jv9KibYXI5InjoXj4ra', 'I0NeMkYtG3O8VHpoOPP'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, cAQU9NJpkqS2EoHEPRl.cs High entropy of concatenated method names: 'LnOVQnE7sn', 'wTVVgOM7de', 'CYKVJYC4UF', 'iQyVi3ljAP', 'EePV94KcSk', 'FAcNP9meu54JjDR1nSY', 'BQRahwmlXZtifX0iUx9', 'q2nLnjmJejj7IBoa0yl', 'dKCQwtmY7OJsxq43ToZ', 'D9l8aJmNKdlDN3j79oL'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, muruWRaZmIRGRwwDXkS.cs High entropy of concatenated method names: 'pbtsP4stnA', 'yBnsSmpdkl', 'ElMQaBi5uOcO5PA7365', 'TeSAqriaoF2REOffVnw', 'Fs13cQiyRbMaUY2ZA99', 'J7qA3viu2SZancXrHUu', 'e45fSgiph8jSgyhGTyw', 'mphjIViGK3dZpRYwvKk', 'gAsKD1ihPXYBIlJ8rRo', 'Mr8ZaAiKaYPq8wKPGSk'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, x5NdPT7l37wdRH0qj8A.cs High entropy of concatenated method names: 'MLSLWyFx5c', 'AeeL3at1CO', 'hR2LXIJQUd', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'FWbL2J1Ue4'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, jhoSbPAE0tbZNrBBHB6.cs High entropy of concatenated method names: 'r27Sy48VuA', 'PEGSRG4mVY', 'GeuShnG5UA', 'hIcSuEiePJ', 'TNjSnvED0X', 'JldS5q4kRH', 'HGnSpw1085', 'I4CSAbcm7l', 'yJASHyMxCs', 'flXSBUFMlV'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, TqngPRuDfYummIbNAPi.cs High entropy of concatenated method names: 'UXM487DrFu', 'hwM61HNZDjy9RZZYhKl', 'PjoRZQNvDO9DQiTdPi0', 'bx6nHEN0Vv0hXBo3TB9', 'M3AtFhNFSHtMj3qrAFH', 'bZvFQANRSL4cOwEL8Bn', 'AFg73yNxRDfGAvcVgDo', 'AherswNHAtnD5oOWVdQ', 'oWkaXwNmAnivSjsEuIX', 'f28'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ie5OXdAbrinGmAjLjnu.cs High entropy of concatenated method names: 'aoFkCyYDYS', 'y7jkLjWJvL', 'k6BkPGAJdp', 'cuOkSwJ8vg', 'RkFkkiqHkC', 'ttDkq7jPgC', 'LkKkfI8NGk', 'UvYkr70WTl', 'ws2kcWqOqH', 'nYdklkYtpT'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, SShuTbAqLPZZeGUmlqx.cs High entropy of concatenated method names: '_7zt', 'OuRxl4QRa5', 'NVAxvdb9g1', 'HKJxNmdEUy', 'OUrxZUG5Zd', 'laQxG2Ab9x', 'b8gxTuZHWp', 'LPdJy8pyJAkNCXbxBc8', 'VjxkIipuSJU0cUbi1U0', 'PLP91hpHlmWoSqrUNKV'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, uKo9EYuJCnapEFgN7sQ.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'WqaVJIe8eCRteERp6A2', 'cOJripeM3OgPBEd7XoG', 'S52iOGeCpRosv3hCRXK', 'oF8KmreEqOuBmX77k03', 'yC9HvUeLqil2rcYApqM', 'Gih8hReQJ4upVGQPZyx'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, PoC19xIYs3oULPSjEp.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'XqWH5fBfwfMmpaQR9DA', 'zFVu7bBVmhVdh6QyNrP', 'IyWRXWBAMEJEv61RK8O', 'nb4CUGBTJWoenYUb1fc', 'sMEKOKBoasGR3NihNmu', 'gIpXBvBnSXsZNWW8Hvq'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, cwTdtOSkw3anwx0R3Hh.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, TW7fRhs1Vm5JUHWi8b.cs High entropy of concatenated method names: 'gvQPQn3UQ', 'TVhU9oEnKVGc5KBwDU', 'xeM0AFMfrd34vfgQAn', 'Rr5sSaCAKHDJGm00tB', 'pEPj6jLgBtajDtMccK', 'DHvyC8Q6gBPhOmUjaZ', 'mDwoCj5d3', 'e3jUhD8QK', 'epks1tG7R', 'zQMMahg4w'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, XLUyoCJE6a5XsQH0Ko2.cs High entropy of concatenated method names: '_269', '_5E7', 'aaT90ZBYht', 'Mz8', 'Be39XvFJUc', 'TSOEBfuqUBI4QM94b6y', 'rfy60yu4hB8M4cZTFg4', 'nvGIDsu7DUsw6wOkWoE', 'dZwXbiuWmibUpy93ilE', 'eBsIlkubgn7YEyn1EHc'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, iE122xu5WgJxss5tlpL.cs High entropy of concatenated method names: 'dbG4FToLyJ', 'PoHd9ij6FUinWQof2rL', 'XNoCOrjBkJBaTcjnfat', 'JKGimSjk2uQF48ocddn', 'H9t71fjrQ6qHnKRw36r', 'bDUx1EjJX11HecTiYiC', 'dqwNTgjY6NSwxNlu73J', 'NA6iFLjehFpLuyMbbfZ', 'DO64mxRLfw', 'Vm7cb2j2Dh4Mfb2i8do'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, DXWBXD7xaiQexRZnvbm.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, UolZWdzG9T3ta6rI2R.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'FJaST8eBc7cPFQDeEKx', 'sGyuG7eJyvkTOCbyfjr', 'vH5rcOeYTp01LVeauvX', 'nWRq4Qeew913qsk5eAb', 'OGcwWqel4rUQFVpqQom', 'Qm6M8meNOHejDNhCly0'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, fkTngpJ8IS4AASs0IAk.cs High entropy of concatenated method names: 'NvFVegeuIZ', 'CpqVRfiJNe', 'WIFVhT0n5J', 'kZWZuQHPJoHrC26XP6A', 'Xsxx2MHsiCZlxKaisbI', 'ocmmJvHcxMVcupAO5LD', 'HW7hEWHi1vXLkeKPAat', 'vcoVksyDaH', 'PvgVqxJTtJ', 'LC7VfXWg0u'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, y6Ws6NaYiImOkHaWiXZ.cs High entropy of concatenated method names: 'yR4UiCmGQY', 'Ru41oKPBgZrSHGMuyYE', 'mRaVtePJVdm1JlskAaw', 'Aa3BIJPrGdXOw6MnEEh', 'hrxQXNP6tWjE2EEXTRC', 'UbJMHTPYeFoooSjJxnO', 'DWbyLHPeRhPx7LD4vX3', 'SmXI9bPlt1Z3jJvI0pj', 'CAdpv7PNQ6Ib67gJOIZ', 'rYRqd1P2yDeN2R4ywly'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, cM7TrW7vKpr8B50h7OK.cs High entropy of concatenated method names: 'N2rCF6xTLr', 'lsqC64aHWx', 'QxvCmGltB7', 'iyECKkoum5', 'Mt3CdbDttF', 'ufhCjudLGS', '_838', 'vVb', 'g24', '_9oL'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, qs4Urgaq761JKp5Sl83.cs High entropy of concatenated method names: 'mvSUzHWdoq', 'w6jsb6qh9x', 'Arps4pUQiY', 'K3Psok3iPH', 'AaesU8LYPr', 'XGHssJ0SRB', 'dfcsM0PnfG', 'mOLs05k38Q', 'ek3saBZ8Pj', 'MrSsVJv1vt'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, aAr1doJK0oCX727yELI.cs High entropy of concatenated method names: 'mfQVKjYhW4', 'uWfVdO8sTM', 'UowVjYFyFw', 'mRclhxHIWEf2dmGELm0', 'Ng91fxHU1Z4qaNUcZQ2', 'YdjpN3HwCYwFf8orfmT', 'THRYLEHDrrhipWupU2u', 'WYL7weH9RJil63mdEE6', 'T5OqbiHqWGrfgtSN4Sy', 'Ku7T7pH4TmlhhvrZ806'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, k0SbHh71EIHluNJbGB0.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'jQM8W9i6wE', 'mmm83doboA', 'V0S8XwdoLS', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, meFI6lAXl39DJs7Vb4w.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'zdtPbLvrcD', '_3il', 'WlkP4bILXr', 'YUePoZ90nA', '_78N', 'z3K'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, dIgrH4avfkQ5y6qRXoT.cs High entropy of concatenated method names: 'tsqoCJgFsT', 'XDSoDa3tes', 'Ff8oL5PU2K', 'Q2c27U3ElTiWocm0Q9u', 'Ix0yMY3LCEJY5CQ0Tpf', 'On5nwY3Qh4K4dGQOrb3', 'wNcX1C3fHDOrlQgPsfd', 'ujMIq53VSeNGG6ZLShx', 'RiJKbD3AJ8Mg2m4WB8H', 'j1uB343MgUlJEhHQWYH'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, z2JwFrJtjurC6xysxLW.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'EJZ9vXWuJw', '_168', 'n8DJYbuaMvfyUfdOplR', 'AnDLyaupyCSmTGxIIAB', 'gY2lS7uGMkpVKPd3vAB', 'V9l9MauhwHtdKih0nS6', 'JdCvRluKaouYNb0C5oq'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, voduWUJWtY2rupEbJiy.cs High entropy of concatenated method names: 'sg9', 'qat9yBEMVq', 'S1vWycrmCO', 'Pg79eB4Sev', 'KhWdKOyw31Rk0SGsTDZ', 'VRgYB5yD04UGYCkFoTS', 'M4keIuy9aJDnvrZRBiH', 'YoENk6yII3AExHvT7js', 'nBPCVvyU5iKrJmYl3js', 'yMYn7Uyq0QUaVk5tNk1'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, biPKHt7TrSGUnycNwn0.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'rJwLCaM1MN', 'bMuLDA2cAJ', 'WSPLLFLR5P', 'DGcL1TOJOI', 'AORL70r4Ev', 'LZ4L8Or3L8', 'rKIFPudVf7alepMld8E'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, dm9hXfmwPCkREcOb27.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'PCbtNG6Xr3snMMonf3p', 'heZLIJ6tmqpyllHV7U2', 'Ys5Gqu6zowJbcSpjpRK', 'QswBikBkImQFVRiVTRE', 'rNSsQNBrHmrW2gkhy8P', 'GeBpXSB6UulLGN4WGCK'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, NHFd4sA4h3PrgosrQJf.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, LJ3ammSGPPBHLr7w7Ha.cs High entropy of concatenated method names: 'Mq4KMeAYFFJrRvlT7OF', 'mKevHBAeRWN1SZsPakl', 'cuF0ZHAB5oE3J13YYf0', 'OBl4jPAJaxZNyhotlie', 'CAxVrrAlr0tdwxUnoyc', 'O7SGWRANXcebmVPufuG', 'OrbGcRA2nL7qHs9WEZe'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, BFvKGo7hlc1MQTKuJr1.cs High entropy of concatenated method names: 'CHrDvnAAIt', 'gSPDNYiYRK', 'sS9DZ45PSJ', 'WuDDGlo0N7', 'pYEDTtnDFC', 'DuFcqgogDeOYaHMExeY', 'HoAkg2oXrlD8W16RgPO', 'EVnKKWotbYClv0vP8JN', 'FrdisAozEDZQLI0wXWW', 'yjMw1lnkVIRrt0GGLi1'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, El9r8OSJBm78viZMw9S.cs High entropy of concatenated method names: 'GIUwsVEyKtuZY1Hg7Vr', 'w1rLM5EujqPwDvpCS7e', 'VK2X8kEHDwVxqPedh22', 'c7jraMEmjWPIpuvohPS', 'wjpvI1ribq', 'DQaRyUEpg2af5E5keN4', 'VSuqeIEGOr7QOCvGAV7', 'm3JNivE5yINZeWq0htV', 'kyWciREavbQhHPsFb8E', 'ut6amyEh1H2OaLtp9oE'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, zq2MoI77BNhLfQn9KoE.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, pRMmGrSnIiuRbpbu8B0.cs High entropy of concatenated method names: 'BFJIvXIF5M', 'DcLINBg824', 'OsLPaZf7uJgWaljDm0b', 'uLelJMfWNdZrRXaIgI8', 'BRI3eIfbrToCiArcoWv', 'KyA5fXfgpCklBHdRftv', 'PuXR8GfX0OSud5hJArH', 'QGL13KftiKKmlDuY6hs', 'FnsKQufzrTRqHiYaMkH', 'Yi8diSVkY2n1cvBdXPf'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, JY58eZPlQvJj37diiZ.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'Y6MwBnJ1aBch3ujXEg9', 'sSEmoBJSnYddOwI4V2n', 'EfVdIQJItHTXNPtAm1i', 'xZTTT4JUn3xbGBXg9dq', 'dNuXw0JwYdOl0DVKmhW', 'sjkj2EJDLePllM7cj5b'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Kaxk6bSM173SiREF1M5.cs High entropy of concatenated method names: 'enBCsluF8d', 'PUICMOF7hv', 'uQsC09i4HY', 'G8JCawxAj3', 'udyCVs56Ig', 'gUgCWdiNkh', 'AnUC3oym1l', 'esECXFsB7q', 'wdiC2uFu7Z', 'Dd0Cx3ksjq'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, TvDHDVuYfYeLJyfV18K.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'qrBBTylTebsA3IUfxF9', 'sos4HTloHAlNx4lu56f', 'welbsGlnpD1qY0UgIyG', 'QJGgGOldOcmQmOb3p9v', 'q7MsCWl18svyNfcXHtq', 'uV6ObBlS55d5uL9DMHm'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, jTU6PaulO2e1N2nQ607.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'EyhgW42fxWdEo1BkCwN', 'xvAmrX2VVqFkuZSQuBU', 'oTxQxo2AP9hJhtnVulJ', 'MW7Zvh2T1KwcWqh9v3c', 'r4NAZC2oBsptrMRQ3Uq', 'BidI2r2nqfQJOggwbnL'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, j49su77R7Hh6seoQrM3.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, syj7FTJY59XCvLngkrm.cs High entropy of concatenated method names: 'RL8VBg10Ht', 'MxpVYlwSNA', 'nlWVFm1N5R', 'mGgV6FudQh', 'ScxB20HLNrtY2V98q7D', 'L788bQHQM5K6EQZcJ50', 'GehISbHffRHTsliZ3gN', 'zMbdo4HCWPut9xiZ4VQ', 'LtMHH1HEAimuq1woIXF', 'm432w6HVTx5clX2m3HO'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Sgvs0lS5xZFNi8J9Ftc.cs High entropy of concatenated method names: 'fYgImsCfE5', 'GjCIKeBuYO', 'DTDIdjv96Y', 'XslXZlVooWw1meBbn81', 'heyjBIVA0Fw2YxcLlMa', 'AFvYS9VTSfeKcaCDv9I', 'YSJcpwVnnG8D0p1pF2E', 'QsCeM7VdA8QUiAZtANs', 'leEcKPV1HSj8Ge1BbYO', 'R9NjplVSUv3a2tQrXHc'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, nvskM3afv4aqFHVpAnd.cs High entropy of concatenated method names: 'BgCsNDew7Y', 'fSasZIRwCs', 'QljsG4DcgO', 'DXdsTUk7Z4', 'FLLsIaKiRr', 'efhR5p0kteZJEub10jO', 'W2yuPi0rbhNsn26AUak', 'oJLOf6itb94Hoh2is1T', 'w52HQvizAEh0ijbBowN', 'rO6EnT06NPDosEGQWGZ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, iG5HSl7VCMnrHc277j8.cs High entropy of concatenated method names: 'NUW8GopYhl', '_1kO', '_9v4', '_294', 'BHW8THBB24', 'euj', 'raO8IPjBtQ', 'K828C2bKuv', 'o87', 'PjJ8DdogbP'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, F3axEKuUgmXxgnuw3D1.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'eSxugcOCVBRXmvgIXLe', 'um7DWdOEcC6nUMFpGDT', 'WL9d8GOLxbQu1Lex9eW', 'x87C94OQX9RdeGnlDUE', 'juihfSOflFv2Biwmkvn', 'HQhZH1OVi3rSloNxgFJ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, mnJP7k7OxKgacQnPJw6.cs High entropy of concatenated method names: 'i4a7n1JGo8', 'ujnvKI18RKJR2u6rmis', 'Lpob4f1MrISB15ypsVd', 'a3wnsB1hJUdmPgHG8eA', 'KbkWMe1KtASJeeqPJkq', '_1fi', 'TWQ1jiBDkT', '_676', 'IG9', 'mdP'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, LgY3ERa0ue2CFHsAUcU.cs High entropy of concatenated method names: 'GHtM8y9PGN', 's0wk7hFXuR9Fmjdy7vL', 'Cl3Y80FtqSVgYMZhZA0', 'NTHpUvFbHiAurNP6JeY', 'uZjZS7FgnfbkGxxl1yp', 'nOxVRYFzlpE4MNnPKfr', 'gDEDSbZkJ2eBi50em5B', 'rkI2t0ZrEoN3X6jF6rj', 'KIgTdKZ6kZVPIvQSOlI', 'trC6fAZBQvkE5tNx1jm'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Ru4jMfuudQ9CrBOMICT.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MXka8ZeRkaADlXx2WdM', 'zY5Mf5exU3eiMPrD1RE', 'vj2egDeH81j0A05OYov', 'b5K8QdemwqDaQZLd4XY', 'PDwfwjeytPFnqdN9xjL', 'xQEgR8euHoqLwK2xacn'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, RWv6ljJAj2UiNxxKUkQ.cs High entropy of concatenated method names: 'v76aHaoKKd', 'UFiaByepBo', 'laUaYRaMgn', 'P44aFLPvNc', 'Hxga6Stl67', 'wGAamtcRdl', 'WNT8R2RKSKQmtjVnwhG', 'IwfTjvRGToGKO9CP2VD', 'yTfb6DRh2Xq14koom4h', 'j8sW5bR8owMawIRgKYD'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, SV4q3KEaRLmZpJ2uWw.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'xtMl8vYhb0DCD5L4jdJ', 'M5rsLHYK43JlqJkHrJ1', 'TZDhxKY8wxahgedhJBR', 'hNYohvYMFNOkLRBKSeS', 'GSEcXxYCCsP27dcXN3Z', 'laSamZYEteWQF9uBLkI'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, NjSFP81t5nmtiVx4HW.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'miuWvHJZwqFZqcqX6je', 'WMJjGZJv8Sm0vtaM4rQ', 'K4nqDXJR3yV6CBwltcs', 'ODOEHtJxEUQwWV4Wh0l', 'BJB4PbJHtI8bsneTkPR', 'zi9jlPJmZhYBuaVgLZx'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ie6boCanxCVHQ3oDcme.cs High entropy of concatenated method names: 'ulpUOTlLtR', 'LxKUe3C2C7', 'my2URE8S4c', 'lfMUhriJ1u', 'xgnUugVTrZ', 'zlrUndMC2r', 'RkYU50JoYS', 'Ig2WAic5vpcU3pKeuSj', 'bfAPrtcyWgXTHm46gSW', 'b0p9AccuDJa14lZvH77'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, kQTIENJ1TbB5I0TVnPA.cs High entropy of concatenated method names: '_5u9', 'Msa9YyM9m5', 'IjO3bxhsOI', 'eyS9QYeRLc', 'vmwPBgyg8wtpj5wXVGC', 'SlH8q9yXsjjGKNW1kTX', 'vH8rG5ytbDMOSLcjrNG', 'MpAdWZyWqZ5ot9YnK5l', 'UuXavVyb5V3ehbCrfLO', 'yQHTMWyziwGDAdaN1mG'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, pejF8DsFRk5gYQdapUF.cs High entropy of concatenated method names: 'Xuqp8JqqrCcxP', 'Sw05toIiALVtsdwxXuG', 'JqBRmvI0WtvPcPDCB5F', 'kdnjJNIFtvYnBeFaAXt', 'WfLG5WIZ7a5JwqwAn5f', 'z61HV3Iv5F1jY7vaU0r', 'yIUcqIIc6Rvr8HtBdl6', 'tHWt8AIPviiK7EplrRV', 'cN31xmIRXm5IaUY92Ll', 'tKkytHIxbg5rbSUxnNi'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, wrJQqmaHJm1Y9WBh7Q9.cs High entropy of concatenated method names: 'yUZ0VvMJG9', 'ee60WMdOOi', 'ysQe1aZWiCVISgEGFjK', 'lnirHtZbc7PgYJ5BQ8m', 'F1oSR7Z4ykEuo2ZlVgV', 'K1RIPGZ7r8N9saS4jQx', 'x2C0fX3Ygd', 'hFGU3fvknL68uuMgqCV', 'WM2EPvvrUPJylpT4e39', 'GaRLCbZtkwD2K1vbXK5'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, SPayjE7B6DexRJWG5XN.cs High entropy of concatenated method names: 'IGD', 'CV5', 'OIiDIKc0yT', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, tJbMp27aVMCHaQJTxAI.cs High entropy of concatenated method names: 'icFDVFLI0K', 'LauDWQQIln', '_8r1', 'rcDD3mrY19', 'ueUDXDnuR6', 'BvbD2eBIZS', 'XRIDxPvgYg', 'zZBxP6o0tySfsDHmNVM', 'boiIkhoFL5uFDSN6Dsr', 'F2EITfoZgTfnkWK1MGH'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, mFL5NPutrdX9x7va5gk.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'oNWOKZOH2DXIVPqd90A', 'kVIJ0yOmLhXQh0c15El', 'xgs4fIOyHJUoUeC0b7b', 'Y9rdLBOuNh88C7VNIoE', 'pbnyUyO5MX7q259ZEBA', 'u1Mcd2OaIyLU4bDQq45'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, oSNy36L7HWgw8yXd9O.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IFyBwc1IR', 'vjCSYL6Q65IrAiUvIb0', 'qwLjmx6fefpuU9WZ2Ra', 'f3D9h86VrSqVRxnyCFI', 'uCHTL26AJslvOVUCj8W', 'ef25tY6T98UyKgvindY'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, p8gMHnAnhx08RQpQdaJ.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, xMGEcLalZvdblXhlXUJ.cs High entropy of concatenated method names: 'GClsyKphe3', 'KtysEo2cjR', 'TFMszEYmdV', 'AVqMbK9BaQ', 'SLwM4F88RU', 'Gx1Mo2rf3t', 'igMMULNCPf', 'dw3Msopwrx', 'e3qMMO91Nj', 'CIm66f0W7SMVRd7DiPt'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, rVll2LusivJBN2kwlwI.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'o83T7jeW7MDOB5eAni9', 'KlaSWPebENlJvl3CuYl', 'LGBcFlegh2FClpIxfMX', 'fR8FjceXQYTsa7NXDHV', 'u1IyYCetjFfrqGXvUt4', 'bcHTFBezAaBCgYanUfS'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs High entropy of concatenated method names: 'kYrWkWMRlR', 'OGBWqQDMTs', 'wFVWfTkirs', 'uyhBZ2m1BI2HdgnuyOK', 'vAOhabmnhZ9v6POUhMi', 'gJ5T2mmdvUcXsDx6cUa', 'kfb2n3mSSTZJPILPDKp', 'MCbW0TeyMj', 'stFWaKBDWm', 't0kWVsYsBh'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, PoxYOJT6P71YC9dpSy.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'gpbpk5URt', 'xoq0AN6RjWmfw6VlfdA', 'vPyI7q6xPnxM7PgBJBN', 'jj69726Hxv1E7l82WqO', 'mni1Kk6mT1cD9a7lJKZ', 'hBoiqe6yEl02u2fHgaa'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, PR1a3IAx96670QPhWS6.cs High entropy of concatenated method names: 'hyEPeR2dvS', 'jhRPR3VSnc', 'wgAPhRlfrc', 'yOePukw63Y', 'w6jPnE7hPN', 'vKYks5GROCMFCUD13Uq', 'cpigJ0GZBoUjJd2LPGw', 'D3QpvlGvxRxji09mXhJ', 'PC7bSlGxmiOLeIt0ROx', 'yucBlvGHUR3eeqVnonh'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, FQhSOJACiwr1GLf1Y6p.cs High entropy of concatenated method names: 'SZY2hAcONM', 'Kuk2uSZyx9', 'DI92nxaLv0', 'NZo25G6lq1', 'gQ02pXcM9Z', 'qJmV0natNYC74QDtGNv', 'NLIcrlazMw1pp9ENQfP', 'lTy6quagsfhPojUJyFF', 'qalqgraX0yLMQ3HhqdP', 'rZOZZopkpN27CXnvb4G'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, t1sIeaAS53kwvRDtTtC.cs High entropy of concatenated method names: 'AJf2fLSWNx', 'piqkFqavG3Eubno4y6q', 'gKbkj7aRPfaoUOtYXp2', 'xS5Df1aF98mhuewuIh0', 'd3NkcsaZSq0HdRfrylA', 'ddb3wgiUHm', 'sLM3tjqCTh', 'PJM3OlWFon', 'kaP3eVcPm5', 'dQD3RLH5CF'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, kEZPtqJUs4C2VcvWVQu.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'mW83XlRqHs', 'fv99UD8pYE', 'u6y32rdbda', 'VAH92mss8h', 'dOZtjTuA6mT80FqvibL', 'OPIOg1uTtPPAQfxHMR5', 'XRSjs8ufIHVEaJ5mcDK'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ygU1bpAF3JWruNJtbw6.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, I82rWmtrWRGLwt3N34.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'tJBxEBYeQ25lLhI42uL', 'CUD1wLYlJADGQa1q23O', 'HmDXG2YNWtytqT4p5ng', 'lMOFcBY2BMAmOkQ0kB8', 'pic0ZXYjsj97bNax1f9', 'fg50Q2YObWRTrSO0whD'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ketmLAuF3AmkFqC7WZC.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'x4rTOSlRIXZRAiwrgHp', 'v59aU9lx2LJpBknXE72', 'GncPiXlHnq2W4hHTPlP', 'sRodQulmT7Us8jN2piZ', 'AFv7B0lyZdRgMuykJL7', 'M1UjgGluitu79gynhBJ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, zQ4vOeUTKi3rWWEiaB.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'HTLbfUYioYBa9Q7uSii', 'I0dpY3Y0qTN39Xyq3ld', 'tV8NfmYFsL51etAYZnJ', 'd32jv8YZJdHkLmoy5rh', 'gEhYX8YvIP5W5GasqYJ', 'h9a1MsYRA3QxXGtsCnZ'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, uj5nFaHCOKxkBSUfBQ.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'LPKxdWBbmnOvRXYyyBM', 'tS4rbhBgSg4xvOR5T8h', 'gdUFA3BXLYr0ZABLhiK', 'GI8HZbBt7sItOd8m37j', 'NEHNjIBziAFY1auWFmF', 'L2Ll0YJkq66mhs0jkJS'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, c1VIJiANVYlZkNH1iGV.cs High entropy of concatenated method names: 'aXexe9AvWB', 'IKoxRgIZKv', 'RfxxhKJr1T', 'OQ6xuLQWPW', 'qQexnQ7Veu', 'o6tpZdpQ8nJ7TkbME50', 'HLDSCspfxYX8QWTYIRy', 'E7L08ZpEkti2iNv5vdu', 'VlKELnpLZaY1gcbs0WC', 'cUTkZbpV9tUZBy1nZvU'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, JffhCwsRNjGxDdomXvs.cs High entropy of concatenated method names: 'l5ltIWBF0q', 'oB2tCf9LEZ', 'JXntDsmGqa', 'iG2tLwYBlS', 'Vylt13P2NH', 'S33t778Ldt', 'mcvt84dEg8', 'ffDtwDnbbm', 'J5HttwrLHF', 'IlxtOWRM4D'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, xNthBMuREoL4NGQoYRt.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'y2HpeeNUSVPrfW2nIr7', 'NZkSfDNwnCEUqBsa2do', 'vyOHbPNDiqu8AHQR9rJ', 'S4EEKJN9CkGQJWPr7SD', 'WytQloNqoRrCOprA7D9', 'lyMAFmN4K26CXYvdVsm'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, kkwN2oAVPxbBiYhpQ20.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vfjSktHnXp', 'p1ZSqW7LdL', 'r8j', 'LS1', '_55S'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, ywtxxbuBR5W8DXjG8yT.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'otsUiFNQF3TbqrpgIhc', 'jyrFxJNfIsqhRTMLUmp', 'pp70qrNVIY9yDHlBjbB', 'HaO8oANAJZmRJTh0oGL', 'xE6dxiNTaUB0eb0VR4R', 'TlBMVENoWfNUxnGdB33'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, fGKs7ccvfPIFD4KxNG.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'pQDwkl6OgMxc63DvUQO', 'iGMdvH63kCVMwces7Rc', 'ppZrgZ6sQE460SPbNrx', 'cbUKPl6clqKGxtC1OkB', 'myoqDR6Plafoe7YtIFD', 'd9RAD36i2ocb05yoGJK'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, Alx067JHEK15yU8UtmV.cs High entropy of concatenated method names: 'AdP54XXFjp', 'lEh5zBAJ9M', 'ELD8QQy1wuUjZ75lo61', 'YGfjXsySgm15Xhna9fW', 'SiPPDOynhqLFxBkblrH', 'Ye9nNHydHfy1bv3AUVv'
Source: 0.0.e8RKyR4TEM.exe.6fefc8.2.raw.unpack, npkSP7u06rmlM1ZHkBU.cs High entropy of concatenated method names: 'h3H4g7y0uW', 'SprST1j5ALRvZBKYDjM', 'sOgUYOjaupFYmDS8WPm', 'lMuo7ajyGPDKfnmFieh', 'Ao1VkyjuhFvOB49n3EI', 'GLx71MjprfeGXghuG1X', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, bDUa3TaecqMKYg1r8l0.cs High entropy of concatenated method names: 'DZ4aCTjkah', 'N54RBtv93qqcxBSNh2c', 'oRHynEvwsU80w3WmWvj', 'VVttO8vDLxLmyafAa42', 'DmHs8SvqCk7BsEnY713', 'm1wnumv4l69nWGcifMh', 'AeGacAHS5F', 'sASalrpQ9i', 'dikav9A8ST', 'JnraNiKh9P'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, eGYy3mSisC9WRIlbbHZ.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'TCwCTiZZC0', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, h6bDvwuj3SikS4DLsvS.cs High entropy of concatenated method names: 'YuPo47Ki11', 'eCkoofTZs6', 'mukoUaIqQP', 'FLM27xjqAdMNvXsNMD9', 'OPbtyTj4UgSSdyoIAuU', 'yKcqNejDH6uYZhqhinS', 'X0R0QZj9kgKLwSR5792', 'eXGCDsj7NqiimOUFhgL', 'nmq8HhjWqjW0AAqLFUQ', 'kot4IEjbXlQecaVvPIg'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, zxUJf0a3lWCGeqqEMX2.cs High entropy of concatenated method names: 'TXHUyQWFQM', 'jI3UEx9Ntc', 'h73JT5PRGYON9Z7ydL4', 'XVtuQePx8n7F0FC5Gxj', 'bblJyuPHlggsrp9KRTO', 'FyQ6KyPmbB4uhZVnpWd', 'fF2EQTPy9C1i4vBdOIQ', 'arX9NEPuqQPx3IBEcuj', 'FVVkg7P5e7Hax9yevtN', 'R58X9FPaL7eJHgm9Bhs'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, tdbGyWSou2GPhrK34sM.cs High entropy of concatenated method names: 'IqDIQT4mUf', 'wlXIgIDnSo', 'wIVIJDc64c', 'v37IixVp5e', 'YSvI9Fvsck', 'MjaIybhs0V', 'etHBMuVwxsxAqxeC8ix', 'fPFkX1VIc6HBvdC6DDT', 'mRFYvsVU6GBPgiReRTV', 'sWPeJpVDnCx5JiTwSfD'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, gK5cKi7LNW4j0BG50Df.cs High entropy of concatenated method names: 'PZglJU1JxXeQaOcwgj4', 'YTaSs61YT0Hs7SixJWx', 'YXsUcr16AidPVvtYfAB', 'RETOoE1ByDwkbyYaLbc', 'iC6LRIeNBR', 'WM4', '_499', 'kmuLh0aDaG', 'Ru7Lu2tRvw', 'eDVLnkvey8'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, jMjmxPuIrQbewUwArSI.cs High entropy of concatenated method names: 'KPA4yBnIq5', 'LjyftvjVqh60UuTJZFj', 'LqaY4ajAQldLI6gOSt6', 'U0RNMWjQSOKnLotJ1Vb', 'oitwSojfTyJ9sG2P6HI', 'cC9SBYjTELLDs76p2qy', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Jm0NETupYyLVv7pLBIL.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'wYYTbJNkvMZpt0Rmjuj', 'gqpMecNrFLMscafa1FM', 'nMcfvDN6QImgNxMdKgZ', 'mXS5xbNBYpf9AW34SUf', 'qZEb6aNJARKHPeyAEq3', 'XEThp7NYFsU6rHJeS7Y'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, BIAGSIbAd5HCMUM2V2.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'zvQsO1YSN07FwIYMxgf', 'O1S4L0YIpYvSjwmOBNx', 'GtBttnYUxJXESQZylSa', 'iwJXcqYwwyd3Ksmeroe', 'Y97gGOYDcRlub9GuST0', 'BLcB74Y9peMnJiO41Eo'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, N9WtwvSeeoVIVFBpG9O.cs High entropy of concatenated method names: 'xCVC13RNFG', 'ELvC73KQLe', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'S27C8ONGOD', '_5f9', 'A6Y'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, QlsCw8Jbq6Zn0cGmg5P.cs High entropy of concatenated method names: 'k1o6hh5VWWcceu7lXnc', 'JMPalw5A3vB1ri3UP4I', 'oq6etn5Q7Dqs3wwE0r3', 'yj3nnK5fxKpqUHhn88V', 'IWF', 'j72', 'ngB3fcJuRn', 'xqt3rmHqAv', 'j4z', 'Hbi3cfyqTE'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, lcKOSkWhG3WCN4k2I6.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'XQAucrJO5Cont2jgSpn', 'dQQJLNJ3IyBEmg6P1W7', 'lGGAMLJs8WyUEm2Ji5Z', 'fD7wsFJcNy9wP993euD', 'vniGKPJPJk8xigTIG5P', 'jrVV3cJiklpuyg9R7eG'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, LAbAraJCt1l63FRwRQL.cs High entropy of concatenated method names: '_223', 'ATsDJJHZe77g29v3mjU', 'VOrHC7HvIwpWw8m5RwN', 'FM7B0QHROBa3X9mbUdt', 'JyScvOHxP3yUT0GA5Vf', 'pNlRZDHH81rxvfR0naR', 'WGUpexHm4buudVYW0Jp', 'amKl6rHyUtU37Cllf8B', 'FHMxgcHudHI8Ge8jwtS', 'FeYFUmH5mlhYaa0u2od'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, CE0htPuPKYX1gfsGPpE.cs High entropy of concatenated method names: 'CP2oXLp5um', 'vQAo24HcAS', 'FRCS92O3L5aaElywelC', 'VGMsEjOjbixrtLeG6gn', 'oWTsVeOOCAutWV1FYrJ', 'jArlCFOsp9X95JLeDwH', 'MM1gg4OchYATUlA573g', 'F6uNebOPGFZ6mgN3P6u', 'BLQ4cuOiVVm6unDhJb8', 'kEUokCO0wrp2C4cIwrT'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, RlAmSxJzO9JaFuIWIuD.cs High entropy of concatenated method names: 'lrB31aHud2', 'NN3372RF2K', 'MNb38X5JVj', 'K9iOlg5niwrS5mxEVcy', 'V302v25dyujanDlMKgB', 'oFfl705TiHsNrb5qHrw', 'Me01UO5ofmVfK7NgGuQ', 'QwcNUP51qZsSH5aBFWN', 'x34aun5S1xuojedbBZK', 'FqG6oe5IKTUjcwoRjKi'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, e88daEaaug5j44ZGlrr.cs High entropy of concatenated method names: 'mXwomd2rMq', 'IE1oKhoF17', 'sKqodI1Jkf', 'OLnoja6JMc', 'OHUoQldDM0', 'BgIogMWyhC', 'GcCJEGsZKBpYR2NnTnv', 'tL4AxwsvjCaDpFJBXO9', 'L14Xghs0ihoyfmVWSVo', 'is0q5dsFEUmmIGQeMs0'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Xpip1xfIJmNHrNL4pR.cs High entropy of concatenated method names: 'kKVILv14f', 'VmRCDBNtg', 'InCDM6ix5', 'q0JLQ8mKi', 'aYX129cId', 'Fn47ptuCs', 'EyU8huNMO', 'KyeAL8rNWVQVcgwE3Zg', 's3pYsBr2i14hMsl8krm', 'FM5OHqrjbYEak4WkY2x'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, TyOMuSJu9bRC3u7e8jp.cs High entropy of concatenated method names: 'P8Ea8ffeNY', 'iwOaw64cBs', 'WICats4Z0O', 'svBaOFYEbv', 'DCvWuivzQiWvxm4gaKK', 'vCFpTDvXIbU8VGtCdA0', 'HITvocvtpDlrMIcp9iY', 'ouSeEuRkUmaCfd9VP3C', 'qpVbq1Rr1HYmDh7AuXG', 'MI4XkXR6ypQrwU3OHhw'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, RDoobhSxkgibyQrvnbY.cs High entropy of concatenated method names: 'HdJI5u4uAp', 'nbGIpPFUaM', 'SWnIARjvyr', 'ia1IHpY0yo', 'BPJIBgPPua', 'eDE43YVhSybYqCrEm1w', 'BHAMNOVpsADuHvOq1AP', 'PC7uyuVGWNPNRU1Kyny', 'vGhFJlVKQ8Lu6yTIjjh', 'gQCq83V8W5WNyaja3ik'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, IfFAqjaIf6jQPxAWGPR.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'WcoMRQo1gF', 'YtLMhAoEj5', 'dVBMu5ClP9', 'FMAMnVlSVR', 'jRmM5KbRDb', 'bEIDR1Z2Wqswsnb7KRg', 'FFXi2MZjPw7sgakSsTf', 'R0SqQpZlmT5OUVkvY2S'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, sKG87XuKkLYXWwPFAbY.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NJhsy9l4YoOhPEpAjOH', 'qDpqAhl7OaiSWx9waF7', 'QkbyVXlWBDrglNItbaj', 'CKuT2qlbDCN2SIOx4vC', 'fjk5Iqlgj0BxrjMqPDr', 'xwx4XVlX3bhQt2aEj3V'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, leP6m5JPVHsyI4AuxAc.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'TbQ9q3CqCh', 'W9K3sWPXgM', 'X6W9dqeWQR', 'tZG1qOuchhHo8T6f7oc', 'ySndifuPZmpbDJyP6uX', 'p6PfRVuiLQkJraiquU8', 'wjhZuYu0Wk64h28a6UE', 'PBcYGFuFb1xYDnCWlEm'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, HJPcxauxttUeh16misE.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'OeHkilNtbdO2Mop24C0', 'ChHRfUNz4iirwPMVt0r', 'w4cUDo2kEqo0vjKsL2R', 'FYILs92rAcTKa9E1tYC', 'Ofgyxl26SQtWi2Q0A0x', 'LGChJX2BMCAE3dbTfP4'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, GVV0We9f8PeuTW2ySQ.cs High entropy of concatenated method names: 'TWJR85GBd', 'sKbh84xqw', 'tRGuJBpsy', 'fIAeQarAigwL9ZMsLuo', 'cQ9XlorfOxRKveb05Dt', 'HlY255rVyLbMhR4D1EH', 'nd34bhrTiouV5kGhmKF', 'Lvoerqrot7NG08UgUnj', 'no8ExjrnimU32VpE3av', 'rUluuirdFkwfcWJenrB'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, xxbjEjuEgUdeqKXQfuE.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'YOYVLGODbpSWMrCVlWs', 'trDegwO9V1e9hwEpDu2', 't78b5WOq9u65dVDH7Ev', 'FVoSZyO4sqannRDskmX', 'ktiZOcO7RyjA7CUmREA', 'ONrgxBOWIMqKlPhQl9E'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, CY76Z0uSY3M8X1UOoE3.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'badXHJeI5LFdQnp5H4V', 'gKbKPpeUcI9xwXsVrdF', 'LaMvmsewYlW2Q96CJ26', 'fhmdTKeDqyInJd63FvX', 'g0U5YIe9XNKlhLky6cn', 'sAwuDWeqs7uY4b5smwQ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, aQRZXvJhtXT3mvVgtHT.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'TItgV4ycTCXIyGq1K9S', 'Xb0jrjyPjv9oisPkL22', 'PtJ92kyiDU3n9ghrNZv', 'rZYkHYy0nyMVkaJOwTs'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, AYgARvuCk3pDHw7y44w.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'y8Acb0lGukeUH0UViUG', 'QRcLuplhHw6c0QDXXyU', 'Q9AN2slKGgWib7F4XMQ', 'e5C5agl82RjNrwRYEd8', 'fVaX7DlMTibmK1VXdu0', 'fIpZBjlCW6PiBlKHl2G'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, kolpP6uh00hSSCDRXjt.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'iuwwOIN5xgxjOebWt5M', 'jxYdXZNa3XZaaK1Y8Y3', 'XuIRnhNpIlmYYrOPI7W', 'wtT0yENGhKWrDAnQ5wF', 'mOukLJNhontrK6vJ7u3', 'axe5QWNKiYc6xldV7BV'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, tj7u7Sub6VjxcJ4bcht.cs High entropy of concatenated method names: 'Yt9olJFYbg', 'wylUrt3eKgmjFOu8kjF', 'AKjYoT3lslmsEkhkFcd', 'aMZsUE3JAMI67WtMFh8', 'l4Dw7c3YIyFkvds7EyJ', 'BNonS03NnGu7uBF8cxj', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, MsNMv9syoTVwjeSfLjV.cs High entropy of concatenated method names: 'j4HSMYIptiTbWVwAbHq', 'kQ50IPIG5gYIRiQYaAj', 'cWyFhZI51PEK9BPa9do', 'thRHkQIa9wEQneNRe3d', 'GZ1tSerW1T', 'oLooyII8QACCLwyKSQD', 'CrPTIDIMxnoaG0MlPIb', 'QsL0DxICtXOaAhyr2u3', 'lD0ADGIE3q8W50uATgg', 'UkXOQ4IL04w3xx8H1bS'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, gRsUpHueIEoBsXHr0uc.cs High entropy of concatenated method names: 'M7koGZiDWs', 'UYioTt4mBe', 'EiKoIoyGB6', 'oegaW33OwBmRxVGmvvi', 'e7arNh32fkghv2jMDU5', 'ufsrgj3jBuaUg0Bcag7', 'iv77sO33SIFnFImMIiy', 'cIIpwx3s0VtAUm0iBjf', 'L2IC5G3cfFdne3WLHlh', 'X6XYVr3PwZhl1S5Gtn4'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, NDKTtjun58hmOFYYEGh.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'oXPRMsllPgpmXRlCsih', 'IuaeUxlNZx3CyS9Xigv', 'OwtXvIl2wpewYRs27d3', 'IEyRn2ljR5H3EqCquY7', 'uJMH96lOOpKmFJxeiuI', 'zxZ7vgl3FDXXNfJLkXJ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, H2qUBJA340wTasJ8HGU.cs High entropy of concatenated method names: 'zqQxsiqrmr', 'umTxModbZZ', 'CJhx0eyxYa', 'iCTgt1pFx0dDu5BhiMk', 'Q0Sr22pZn5ODQytXbl2', 'tPdPRrpiCJdRrPlHaQ4', 'ISgnnlp0xVtHeoMuoke', 'BiCSkLpvSjRqHeRteK8', 'B6IfV4pRjpw9otJXuPb', 'UpbyDcpxEXXKUrRcrJu'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, wLZmPf4gWyTLyCJ4FY.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'lq5UudY7rZe1vHnvTu2', 'WxFK3yYW6bCNZ9cEI66', 'yVFx2VYby832PmiUsAd', 'jU2tNSYgoJbGwlb5LKY', 'jv9KibYXI5InjoXj4ra', 'I0NeMkYtG3O8VHpoOPP'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, cAQU9NJpkqS2EoHEPRl.cs High entropy of concatenated method names: 'LnOVQnE7sn', 'wTVVgOM7de', 'CYKVJYC4UF', 'iQyVi3ljAP', 'EePV94KcSk', 'FAcNP9meu54JjDR1nSY', 'BQRahwmlXZtifX0iUx9', 'q2nLnjmJejj7IBoa0yl', 'dKCQwtmY7OJsxq43ToZ', 'D9l8aJmNKdlDN3j79oL'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, muruWRaZmIRGRwwDXkS.cs High entropy of concatenated method names: 'pbtsP4stnA', 'yBnsSmpdkl', 'ElMQaBi5uOcO5PA7365', 'TeSAqriaoF2REOffVnw', 'Fs13cQiyRbMaUY2ZA99', 'J7qA3viu2SZancXrHUu', 'e45fSgiph8jSgyhGTyw', 'mphjIViGK3dZpRYwvKk', 'gAsKD1ihPXYBIlJ8rRo', 'Mr8ZaAiKaYPq8wKPGSk'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, x5NdPT7l37wdRH0qj8A.cs High entropy of concatenated method names: 'MLSLWyFx5c', 'AeeL3at1CO', 'hR2LXIJQUd', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'FWbL2J1Ue4'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, jhoSbPAE0tbZNrBBHB6.cs High entropy of concatenated method names: 'r27Sy48VuA', 'PEGSRG4mVY', 'GeuShnG5UA', 'hIcSuEiePJ', 'TNjSnvED0X', 'JldS5q4kRH', 'HGnSpw1085', 'I4CSAbcm7l', 'yJASHyMxCs', 'flXSBUFMlV'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, TqngPRuDfYummIbNAPi.cs High entropy of concatenated method names: 'UXM487DrFu', 'hwM61HNZDjy9RZZYhKl', 'PjoRZQNvDO9DQiTdPi0', 'bx6nHEN0Vv0hXBo3TB9', 'M3AtFhNFSHtMj3qrAFH', 'bZvFQANRSL4cOwEL8Bn', 'AFg73yNxRDfGAvcVgDo', 'AherswNHAtnD5oOWVdQ', 'oWkaXwNmAnivSjsEuIX', 'f28'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ie5OXdAbrinGmAjLjnu.cs High entropy of concatenated method names: 'aoFkCyYDYS', 'y7jkLjWJvL', 'k6BkPGAJdp', 'cuOkSwJ8vg', 'RkFkkiqHkC', 'ttDkq7jPgC', 'LkKkfI8NGk', 'UvYkr70WTl', 'ws2kcWqOqH', 'nYdklkYtpT'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, SShuTbAqLPZZeGUmlqx.cs High entropy of concatenated method names: '_7zt', 'OuRxl4QRa5', 'NVAxvdb9g1', 'HKJxNmdEUy', 'OUrxZUG5Zd', 'laQxG2Ab9x', 'b8gxTuZHWp', 'LPdJy8pyJAkNCXbxBc8', 'VjxkIipuSJU0cUbi1U0', 'PLP91hpHlmWoSqrUNKV'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, uKo9EYuJCnapEFgN7sQ.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'WqaVJIe8eCRteERp6A2', 'cOJripeM3OgPBEd7XoG', 'S52iOGeCpRosv3hCRXK', 'oF8KmreEqOuBmX77k03', 'yC9HvUeLqil2rcYApqM', 'Gih8hReQJ4upVGQPZyx'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, PoC19xIYs3oULPSjEp.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'XqWH5fBfwfMmpaQR9DA', 'zFVu7bBVmhVdh6QyNrP', 'IyWRXWBAMEJEv61RK8O', 'nb4CUGBTJWoenYUb1fc', 'sMEKOKBoasGR3NihNmu', 'gIpXBvBnSXsZNWW8Hvq'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, cwTdtOSkw3anwx0R3Hh.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, TW7fRhs1Vm5JUHWi8b.cs High entropy of concatenated method names: 'gvQPQn3UQ', 'TVhU9oEnKVGc5KBwDU', 'xeM0AFMfrd34vfgQAn', 'Rr5sSaCAKHDJGm00tB', 'pEPj6jLgBtajDtMccK', 'DHvyC8Q6gBPhOmUjaZ', 'mDwoCj5d3', 'e3jUhD8QK', 'epks1tG7R', 'zQMMahg4w'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, XLUyoCJE6a5XsQH0Ko2.cs High entropy of concatenated method names: '_269', '_5E7', 'aaT90ZBYht', 'Mz8', 'Be39XvFJUc', 'TSOEBfuqUBI4QM94b6y', 'rfy60yu4hB8M4cZTFg4', 'nvGIDsu7DUsw6wOkWoE', 'dZwXbiuWmibUpy93ilE', 'eBsIlkubgn7YEyn1EHc'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, iE122xu5WgJxss5tlpL.cs High entropy of concatenated method names: 'dbG4FToLyJ', 'PoHd9ij6FUinWQof2rL', 'XNoCOrjBkJBaTcjnfat', 'JKGimSjk2uQF48ocddn', 'H9t71fjrQ6qHnKRw36r', 'bDUx1EjJX11HecTiYiC', 'dqwNTgjY6NSwxNlu73J', 'NA6iFLjehFpLuyMbbfZ', 'DO64mxRLfw', 'Vm7cb2j2Dh4Mfb2i8do'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, DXWBXD7xaiQexRZnvbm.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, UolZWdzG9T3ta6rI2R.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'FJaST8eBc7cPFQDeEKx', 'sGyuG7eJyvkTOCbyfjr', 'vH5rcOeYTp01LVeauvX', 'nWRq4Qeew913qsk5eAb', 'OGcwWqel4rUQFVpqQom', 'Qm6M8meNOHejDNhCly0'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, fkTngpJ8IS4AASs0IAk.cs High entropy of concatenated method names: 'NvFVegeuIZ', 'CpqVRfiJNe', 'WIFVhT0n5J', 'kZWZuQHPJoHrC26XP6A', 'Xsxx2MHsiCZlxKaisbI', 'ocmmJvHcxMVcupAO5LD', 'HW7hEWHi1vXLkeKPAat', 'vcoVksyDaH', 'PvgVqxJTtJ', 'LC7VfXWg0u'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, y6Ws6NaYiImOkHaWiXZ.cs High entropy of concatenated method names: 'yR4UiCmGQY', 'Ru41oKPBgZrSHGMuyYE', 'mRaVtePJVdm1JlskAaw', 'Aa3BIJPrGdXOw6MnEEh', 'hrxQXNP6tWjE2EEXTRC', 'UbJMHTPYeFoooSjJxnO', 'DWbyLHPeRhPx7LD4vX3', 'SmXI9bPlt1Z3jJvI0pj', 'CAdpv7PNQ6Ib67gJOIZ', 'rYRqd1P2yDeN2R4ywly'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, cM7TrW7vKpr8B50h7OK.cs High entropy of concatenated method names: 'N2rCF6xTLr', 'lsqC64aHWx', 'QxvCmGltB7', 'iyECKkoum5', 'Mt3CdbDttF', 'ufhCjudLGS', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, qs4Urgaq761JKp5Sl83.cs High entropy of concatenated method names: 'mvSUzHWdoq', 'w6jsb6qh9x', 'Arps4pUQiY', 'K3Psok3iPH', 'AaesU8LYPr', 'XGHssJ0SRB', 'dfcsM0PnfG', 'mOLs05k38Q', 'ek3saBZ8Pj', 'MrSsVJv1vt'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, aAr1doJK0oCX727yELI.cs High entropy of concatenated method names: 'mfQVKjYhW4', 'uWfVdO8sTM', 'UowVjYFyFw', 'mRclhxHIWEf2dmGELm0', 'Ng91fxHU1Z4qaNUcZQ2', 'YdjpN3HwCYwFf8orfmT', 'THRYLEHDrrhipWupU2u', 'WYL7weH9RJil63mdEE6', 'T5OqbiHqWGrfgtSN4Sy', 'Ku7T7pH4TmlhhvrZ806'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, k0SbHh71EIHluNJbGB0.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'jQM8W9i6wE', 'mmm83doboA', 'V0S8XwdoLS', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, meFI6lAXl39DJs7Vb4w.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'zdtPbLvrcD', '_3il', 'WlkP4bILXr', 'YUePoZ90nA', '_78N', 'z3K'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, dIgrH4avfkQ5y6qRXoT.cs High entropy of concatenated method names: 'tsqoCJgFsT', 'XDSoDa3tes', 'Ff8oL5PU2K', 'Q2c27U3ElTiWocm0Q9u', 'Ix0yMY3LCEJY5CQ0Tpf', 'On5nwY3Qh4K4dGQOrb3', 'wNcX1C3fHDOrlQgPsfd', 'ujMIq53VSeNGG6ZLShx', 'RiJKbD3AJ8Mg2m4WB8H', 'j1uB343MgUlJEhHQWYH'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, z2JwFrJtjurC6xysxLW.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'EJZ9vXWuJw', '_168', 'n8DJYbuaMvfyUfdOplR', 'AnDLyaupyCSmTGxIIAB', 'gY2lS7uGMkpVKPd3vAB', 'V9l9MauhwHtdKih0nS6', 'JdCvRluKaouYNb0C5oq'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, voduWUJWtY2rupEbJiy.cs High entropy of concatenated method names: 'sg9', 'qat9yBEMVq', 'S1vWycrmCO', 'Pg79eB4Sev', 'KhWdKOyw31Rk0SGsTDZ', 'VRgYB5yD04UGYCkFoTS', 'M4keIuy9aJDnvrZRBiH', 'YoENk6yII3AExHvT7js', 'nBPCVvyU5iKrJmYl3js', 'yMYn7Uyq0QUaVk5tNk1'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, biPKHt7TrSGUnycNwn0.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'rJwLCaM1MN', 'bMuLDA2cAJ', 'WSPLLFLR5P', 'DGcL1TOJOI', 'AORL70r4Ev', 'LZ4L8Or3L8', 'rKIFPudVf7alepMld8E'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, dm9hXfmwPCkREcOb27.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'PCbtNG6Xr3snMMonf3p', 'heZLIJ6tmqpyllHV7U2', 'Ys5Gqu6zowJbcSpjpRK', 'QswBikBkImQFVRiVTRE', 'rNSsQNBrHmrW2gkhy8P', 'GeBpXSB6UulLGN4WGCK'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, NHFd4sA4h3PrgosrQJf.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, LJ3ammSGPPBHLr7w7Ha.cs High entropy of concatenated method names: 'Mq4KMeAYFFJrRvlT7OF', 'mKevHBAeRWN1SZsPakl', 'cuF0ZHAB5oE3J13YYf0', 'OBl4jPAJaxZNyhotlie', 'CAxVrrAlr0tdwxUnoyc', 'O7SGWRANXcebmVPufuG', 'OrbGcRA2nL7qHs9WEZe'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, BFvKGo7hlc1MQTKuJr1.cs High entropy of concatenated method names: 'CHrDvnAAIt', 'gSPDNYiYRK', 'sS9DZ45PSJ', 'WuDDGlo0N7', 'pYEDTtnDFC', 'DuFcqgogDeOYaHMExeY', 'HoAkg2oXrlD8W16RgPO', 'EVnKKWotbYClv0vP8JN', 'FrdisAozEDZQLI0wXWW', 'yjMw1lnkVIRrt0GGLi1'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, El9r8OSJBm78viZMw9S.cs High entropy of concatenated method names: 'GIUwsVEyKtuZY1Hg7Vr', 'w1rLM5EujqPwDvpCS7e', 'VK2X8kEHDwVxqPedh22', 'c7jraMEmjWPIpuvohPS', 'wjpvI1ribq', 'DQaRyUEpg2af5E5keN4', 'VSuqeIEGOr7QOCvGAV7', 'm3JNivE5yINZeWq0htV', 'kyWciREavbQhHPsFb8E', 'ut6amyEh1H2OaLtp9oE'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, zq2MoI77BNhLfQn9KoE.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, pRMmGrSnIiuRbpbu8B0.cs High entropy of concatenated method names: 'BFJIvXIF5M', 'DcLINBg824', 'OsLPaZf7uJgWaljDm0b', 'uLelJMfWNdZrRXaIgI8', 'BRI3eIfbrToCiArcoWv', 'KyA5fXfgpCklBHdRftv', 'PuXR8GfX0OSud5hJArH', 'QGL13KftiKKmlDuY6hs', 'FnsKQufzrTRqHiYaMkH', 'Yi8diSVkY2n1cvBdXPf'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, JY58eZPlQvJj37diiZ.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'Y6MwBnJ1aBch3ujXEg9', 'sSEmoBJSnYddOwI4V2n', 'EfVdIQJItHTXNPtAm1i', 'xZTTT4JUn3xbGBXg9dq', 'dNuXw0JwYdOl0DVKmhW', 'sjkj2EJDLePllM7cj5b'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Kaxk6bSM173SiREF1M5.cs High entropy of concatenated method names: 'enBCsluF8d', 'PUICMOF7hv', 'uQsC09i4HY', 'G8JCawxAj3', 'udyCVs56Ig', 'gUgCWdiNkh', 'AnUC3oym1l', 'esECXFsB7q', 'wdiC2uFu7Z', 'Dd0Cx3ksjq'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, TvDHDVuYfYeLJyfV18K.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'qrBBTylTebsA3IUfxF9', 'sos4HTloHAlNx4lu56f', 'welbsGlnpD1qY0UgIyG', 'QJGgGOldOcmQmOb3p9v', 'q7MsCWl18svyNfcXHtq', 'uV6ObBlS55d5uL9DMHm'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, jTU6PaulO2e1N2nQ607.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'EyhgW42fxWdEo1BkCwN', 'xvAmrX2VVqFkuZSQuBU', 'oTxQxo2AP9hJhtnVulJ', 'MW7Zvh2T1KwcWqh9v3c', 'r4NAZC2oBsptrMRQ3Uq', 'BidI2r2nqfQJOggwbnL'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, j49su77R7Hh6seoQrM3.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, syj7FTJY59XCvLngkrm.cs High entropy of concatenated method names: 'RL8VBg10Ht', 'MxpVYlwSNA', 'nlWVFm1N5R', 'mGgV6FudQh', 'ScxB20HLNrtY2V98q7D', 'L788bQHQM5K6EQZcJ50', 'GehISbHffRHTsliZ3gN', 'zMbdo4HCWPut9xiZ4VQ', 'LtMHH1HEAimuq1woIXF', 'm432w6HVTx5clX2m3HO'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Sgvs0lS5xZFNi8J9Ftc.cs High entropy of concatenated method names: 'fYgImsCfE5', 'GjCIKeBuYO', 'DTDIdjv96Y', 'XslXZlVooWw1meBbn81', 'heyjBIVA0Fw2YxcLlMa', 'AFvYS9VTSfeKcaCDv9I', 'YSJcpwVnnG8D0p1pF2E', 'QsCeM7VdA8QUiAZtANs', 'leEcKPV1HSj8Ge1BbYO', 'R9NjplVSUv3a2tQrXHc'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, nvskM3afv4aqFHVpAnd.cs High entropy of concatenated method names: 'BgCsNDew7Y', 'fSasZIRwCs', 'QljsG4DcgO', 'DXdsTUk7Z4', 'FLLsIaKiRr', 'efhR5p0kteZJEub10jO', 'W2yuPi0rbhNsn26AUak', 'oJLOf6itb94Hoh2is1T', 'w52HQvizAEh0ijbBowN', 'rO6EnT06NPDosEGQWGZ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, iG5HSl7VCMnrHc277j8.cs High entropy of concatenated method names: 'NUW8GopYhl', '_1kO', '_9v4', '_294', 'BHW8THBB24', 'euj', 'raO8IPjBtQ', 'K828C2bKuv', 'o87', 'PjJ8DdogbP'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, F3axEKuUgmXxgnuw3D1.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'eSxugcOCVBRXmvgIXLe', 'um7DWdOEcC6nUMFpGDT', 'WL9d8GOLxbQu1Lex9eW', 'x87C94OQX9RdeGnlDUE', 'juihfSOflFv2Biwmkvn', 'HQhZH1OVi3rSloNxgFJ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, mnJP7k7OxKgacQnPJw6.cs High entropy of concatenated method names: 'i4a7n1JGo8', 'ujnvKI18RKJR2u6rmis', 'Lpob4f1MrISB15ypsVd', 'a3wnsB1hJUdmPgHG8eA', 'KbkWMe1KtASJeeqPJkq', '_1fi', 'TWQ1jiBDkT', '_676', 'IG9', 'mdP'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, LgY3ERa0ue2CFHsAUcU.cs High entropy of concatenated method names: 'GHtM8y9PGN', 's0wk7hFXuR9Fmjdy7vL', 'Cl3Y80FtqSVgYMZhZA0', 'NTHpUvFbHiAurNP6JeY', 'uZjZS7FgnfbkGxxl1yp', 'nOxVRYFzlpE4MNnPKfr', 'gDEDSbZkJ2eBi50em5B', 'rkI2t0ZrEoN3X6jF6rj', 'KIgTdKZ6kZVPIvQSOlI', 'trC6fAZBQvkE5tNx1jm'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Ru4jMfuudQ9CrBOMICT.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MXka8ZeRkaADlXx2WdM', 'zY5Mf5exU3eiMPrD1RE', 'vj2egDeH81j0A05OYov', 'b5K8QdemwqDaQZLd4XY', 'PDwfwjeytPFnqdN9xjL', 'xQEgR8euHoqLwK2xacn'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, RWv6ljJAj2UiNxxKUkQ.cs High entropy of concatenated method names: 'v76aHaoKKd', 'UFiaByepBo', 'laUaYRaMgn', 'P44aFLPvNc', 'Hxga6Stl67', 'wGAamtcRdl', 'WNT8R2RKSKQmtjVnwhG', 'IwfTjvRGToGKO9CP2VD', 'yTfb6DRh2Xq14koom4h', 'j8sW5bR8owMawIRgKYD'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, SV4q3KEaRLmZpJ2uWw.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'xtMl8vYhb0DCD5L4jdJ', 'M5rsLHYK43JlqJkHrJ1', 'TZDhxKY8wxahgedhJBR', 'hNYohvYMFNOkLRBKSeS', 'GSEcXxYCCsP27dcXN3Z', 'laSamZYEteWQF9uBLkI'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, NjSFP81t5nmtiVx4HW.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'miuWvHJZwqFZqcqX6je', 'WMJjGZJv8Sm0vtaM4rQ', 'K4nqDXJR3yV6CBwltcs', 'ODOEHtJxEUQwWV4Wh0l', 'BJB4PbJHtI8bsneTkPR', 'zi9jlPJmZhYBuaVgLZx'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ie6boCanxCVHQ3oDcme.cs High entropy of concatenated method names: 'ulpUOTlLtR', 'LxKUe3C2C7', 'my2URE8S4c', 'lfMUhriJ1u', 'xgnUugVTrZ', 'zlrUndMC2r', 'RkYU50JoYS', 'Ig2WAic5vpcU3pKeuSj', 'bfAPrtcyWgXTHm46gSW', 'b0p9AccuDJa14lZvH77'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, kQTIENJ1TbB5I0TVnPA.cs High entropy of concatenated method names: '_5u9', 'Msa9YyM9m5', 'IjO3bxhsOI', 'eyS9QYeRLc', 'vmwPBgyg8wtpj5wXVGC', 'SlH8q9yXsjjGKNW1kTX', 'vH8rG5ytbDMOSLcjrNG', 'MpAdWZyWqZ5ot9YnK5l', 'UuXavVyb5V3ehbCrfLO', 'yQHTMWyziwGDAdaN1mG'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, pejF8DsFRk5gYQdapUF.cs High entropy of concatenated method names: 'Xuqp8JqqrCcxP', 'Sw05toIiALVtsdwxXuG', 'JqBRmvI0WtvPcPDCB5F', 'kdnjJNIFtvYnBeFaAXt', 'WfLG5WIZ7a5JwqwAn5f', 'z61HV3Iv5F1jY7vaU0r', 'yIUcqIIc6Rvr8HtBdl6', 'tHWt8AIPviiK7EplrRV', 'cN31xmIRXm5IaUY92Ll', 'tKkytHIxbg5rbSUxnNi'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, wrJQqmaHJm1Y9WBh7Q9.cs High entropy of concatenated method names: 'yUZ0VvMJG9', 'ee60WMdOOi', 'ysQe1aZWiCVISgEGFjK', 'lnirHtZbc7PgYJ5BQ8m', 'F1oSR7Z4ykEuo2ZlVgV', 'K1RIPGZ7r8N9saS4jQx', 'x2C0fX3Ygd', 'hFGU3fvknL68uuMgqCV', 'WM2EPvvrUPJylpT4e39', 'GaRLCbZtkwD2K1vbXK5'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, SPayjE7B6DexRJWG5XN.cs High entropy of concatenated method names: 'IGD', 'CV5', 'OIiDIKc0yT', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, tJbMp27aVMCHaQJTxAI.cs High entropy of concatenated method names: 'icFDVFLI0K', 'LauDWQQIln', '_8r1', 'rcDD3mrY19', 'ueUDXDnuR6', 'BvbD2eBIZS', 'XRIDxPvgYg', 'zZBxP6o0tySfsDHmNVM', 'boiIkhoFL5uFDSN6Dsr', 'F2EITfoZgTfnkWK1MGH'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, mFL5NPutrdX9x7va5gk.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'oNWOKZOH2DXIVPqd90A', 'kVIJ0yOmLhXQh0c15El', 'xgs4fIOyHJUoUeC0b7b', 'Y9rdLBOuNh88C7VNIoE', 'pbnyUyO5MX7q259ZEBA', 'u1Mcd2OaIyLU4bDQq45'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, oSNy36L7HWgw8yXd9O.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IFyBwc1IR', 'vjCSYL6Q65IrAiUvIb0', 'qwLjmx6fefpuU9WZ2Ra', 'f3D9h86VrSqVRxnyCFI', 'uCHTL26AJslvOVUCj8W', 'ef25tY6T98UyKgvindY'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, p8gMHnAnhx08RQpQdaJ.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, xMGEcLalZvdblXhlXUJ.cs High entropy of concatenated method names: 'GClsyKphe3', 'KtysEo2cjR', 'TFMszEYmdV', 'AVqMbK9BaQ', 'SLwM4F88RU', 'Gx1Mo2rf3t', 'igMMULNCPf', 'dw3Msopwrx', 'e3qMMO91Nj', 'CIm66f0W7SMVRd7DiPt'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, rVll2LusivJBN2kwlwI.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'o83T7jeW7MDOB5eAni9', 'KlaSWPebENlJvl3CuYl', 'LGBcFlegh2FClpIxfMX', 'fR8FjceXQYTsa7NXDHV', 'u1IyYCetjFfrqGXvUt4', 'bcHTFBezAaBCgYanUfS'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, fTEbjnJDRf0x5sD15Ib.cs High entropy of concatenated method names: 'kYrWkWMRlR', 'OGBWqQDMTs', 'wFVWfTkirs', 'uyhBZ2m1BI2HdgnuyOK', 'vAOhabmnhZ9v6POUhMi', 'gJ5T2mmdvUcXsDx6cUa', 'kfb2n3mSSTZJPILPDKp', 'MCbW0TeyMj', 'stFWaKBDWm', 't0kWVsYsBh'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, PoxYOJT6P71YC9dpSy.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'gpbpk5URt', 'xoq0AN6RjWmfw6VlfdA', 'vPyI7q6xPnxM7PgBJBN', 'jj69726Hxv1E7l82WqO', 'mni1Kk6mT1cD9a7lJKZ', 'hBoiqe6yEl02u2fHgaa'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, PR1a3IAx96670QPhWS6.cs High entropy of concatenated method names: 'hyEPeR2dvS', 'jhRPR3VSnc', 'wgAPhRlfrc', 'yOePukw63Y', 'w6jPnE7hPN', 'vKYks5GROCMFCUD13Uq', 'cpigJ0GZBoUjJd2LPGw', 'D3QpvlGvxRxji09mXhJ', 'PC7bSlGxmiOLeIt0ROx', 'yucBlvGHUR3eeqVnonh'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, FQhSOJACiwr1GLf1Y6p.cs High entropy of concatenated method names: 'SZY2hAcONM', 'Kuk2uSZyx9', 'DI92nxaLv0', 'NZo25G6lq1', 'gQ02pXcM9Z', 'qJmV0natNYC74QDtGNv', 'NLIcrlazMw1pp9ENQfP', 'lTy6quagsfhPojUJyFF', 'qalqgraX0yLMQ3HhqdP', 'rZOZZopkpN27CXnvb4G'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, t1sIeaAS53kwvRDtTtC.cs High entropy of concatenated method names: 'AJf2fLSWNx', 'piqkFqavG3Eubno4y6q', 'gKbkj7aRPfaoUOtYXp2', 'xS5Df1aF98mhuewuIh0', 'd3NkcsaZSq0HdRfrylA', 'ddb3wgiUHm', 'sLM3tjqCTh', 'PJM3OlWFon', 'kaP3eVcPm5', 'dQD3RLH5CF'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, kEZPtqJUs4C2VcvWVQu.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'mW83XlRqHs', 'fv99UD8pYE', 'u6y32rdbda', 'VAH92mss8h', 'dOZtjTuA6mT80FqvibL', 'OPIOg1uTtPPAQfxHMR5', 'XRSjs8ufIHVEaJ5mcDK'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ygU1bpAF3JWruNJtbw6.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, I82rWmtrWRGLwt3N34.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'tJBxEBYeQ25lLhI42uL', 'CUD1wLYlJADGQa1q23O', 'HmDXG2YNWtytqT4p5ng', 'lMOFcBY2BMAmOkQ0kB8', 'pic0ZXYjsj97bNax1f9', 'fg50Q2YObWRTrSO0whD'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ketmLAuF3AmkFqC7WZC.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'x4rTOSlRIXZRAiwrgHp', 'v59aU9lx2LJpBknXE72', 'GncPiXlHnq2W4hHTPlP', 'sRodQulmT7Us8jN2piZ', 'AFv7B0lyZdRgMuykJL7', 'M1UjgGluitu79gynhBJ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, zQ4vOeUTKi3rWWEiaB.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'HTLbfUYioYBa9Q7uSii', 'I0dpY3Y0qTN39Xyq3ld', 'tV8NfmYFsL51etAYZnJ', 'd32jv8YZJdHkLmoy5rh', 'gEhYX8YvIP5W5GasqYJ', 'h9a1MsYRA3QxXGtsCnZ'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, uj5nFaHCOKxkBSUfBQ.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'LPKxdWBbmnOvRXYyyBM', 'tS4rbhBgSg4xvOR5T8h', 'gdUFA3BXLYr0ZABLhiK', 'GI8HZbBt7sItOd8m37j', 'NEHNjIBziAFY1auWFmF', 'L2Ll0YJkq66mhs0jkJS'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, c1VIJiANVYlZkNH1iGV.cs High entropy of concatenated method names: 'aXexe9AvWB', 'IKoxRgIZKv', 'RfxxhKJr1T', 'OQ6xuLQWPW', 'qQexnQ7Veu', 'o6tpZdpQ8nJ7TkbME50', 'HLDSCspfxYX8QWTYIRy', 'E7L08ZpEkti2iNv5vdu', 'VlKELnpLZaY1gcbs0WC', 'cUTkZbpV9tUZBy1nZvU'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, JffhCwsRNjGxDdomXvs.cs High entropy of concatenated method names: 'l5ltIWBF0q', 'oB2tCf9LEZ', 'JXntDsmGqa', 'iG2tLwYBlS', 'Vylt13P2NH', 'S33t778Ldt', 'mcvt84dEg8', 'ffDtwDnbbm', 'J5HttwrLHF', 'IlxtOWRM4D'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, xNthBMuREoL4NGQoYRt.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'y2HpeeNUSVPrfW2nIr7', 'NZkSfDNwnCEUqBsa2do', 'vyOHbPNDiqu8AHQR9rJ', 'S4EEKJN9CkGQJWPr7SD', 'WytQloNqoRrCOprA7D9', 'lyMAFmN4K26CXYvdVsm'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, kkwN2oAVPxbBiYhpQ20.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vfjSktHnXp', 'p1ZSqW7LdL', 'r8j', 'LS1', '_55S'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, ywtxxbuBR5W8DXjG8yT.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'otsUiFNQF3TbqrpgIhc', 'jyrFxJNfIsqhRTMLUmp', 'pp70qrNVIY9yDHlBjbB', 'HaO8oANAJZmRJTh0oGL', 'xE6dxiNTaUB0eb0VR4R', 'TlBMVENoWfNUxnGdB33'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, fGKs7ccvfPIFD4KxNG.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'pQDwkl6OgMxc63DvUQO', 'iGMdvH63kCVMwces7Rc', 'ppZrgZ6sQE460SPbNrx', 'cbUKPl6clqKGxtC1OkB', 'myoqDR6Plafoe7YtIFD', 'd9RAD36i2ocb05yoGJK'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, Alx067JHEK15yU8UtmV.cs High entropy of concatenated method names: 'AdP54XXFjp', 'lEh5zBAJ9M', 'ELD8QQy1wuUjZ75lo61', 'YGfjXsySgm15Xhna9fW', 'SiPPDOynhqLFxBkblrH', 'Ye9nNHydHfy1bv3AUVv'
Source: 0.3.e8RKyR4TEM.exe.26b655c.0.raw.unpack, npkSP7u06rmlM1ZHkBU.cs High entropy of concatenated method names: 'h3H4g7y0uW', 'SprST1j5ALRvZBKYDjM', 'sOgUYOjaupFYmDS8WPm', 'lMuo7ajyGPDKfnmFieh', 'Ao1VkyjuhFvOB49n3EI', 'GLx71MjprfeGXghuG1X', 'QLw', 'YZ8', 'cC5', 'G9C'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\msDriverSessionHost\chainProvider.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe File created: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files (x86)\Common Files\DESIGNER\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files (x86)\AutoIt3\Icons\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\SystemApps\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Recovery\RuntimeBroker.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files\Windows Media Player\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Recovery\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Users\Default\OneDrive\WinStore.App.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files\Windows Defender\en-US\conhost.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\msDriverSessionHost\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe File created: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\ShellComponents\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe File created: C:\msDriverSessionHost\chainProvider.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\StartMenuExperienceHost.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\SystemApps\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Windows\ShellComponents\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\msDriverSessionHost\chainProvider.exe File created: C:\Users\user\cwxyiNpEtlalxKGPbFFnB.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "cwxyiNpEtlalxKGPbFFnBc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cwxyiNpEtlalxKGPbFFnB.exe'" /f
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Memory allocated: 1AB394E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Memory allocated: 1AB52F20000 memory reserve | memory write watch Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Memory allocated: 15A0000 memory reserve | memory write watch Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Memory allocated: 1AF90000 memory reserve | memory write watch Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Memory allocated: BE0000 memory reserve | memory write watch
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Memory allocated: 1A6F0000 memory reserve | memory write watch
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Memory allocated: 1310000 memory reserve | memory write watch
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Memory allocated: 1AF70000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\msDriverSessionHost\chainProvider.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Thread delayed: delay time: 922337203685477
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\msDriverSessionHost\chainProvider.exe Window / User API: threadDelayed 941 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Window / User API: threadDelayed 578 Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Window / User API: threadDelayed 365
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\msDriverSessionHost\chainProvider.exe TID: 7280 Thread sleep count: 941 > 30 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe TID: 7280 Thread sleep count: 578 > 30 Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe TID: 7252 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe TID: 8080 Thread sleep count: 365 > 30
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe TID: 7972 Thread sleep time: -922337203685477s >= -30000s
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe TID: 8056 Thread sleep count: 212 > 30
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe TID: 8076 Thread sleep count: 126 > 30
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe TID: 7760 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\msDriverSessionHost\chainProvider.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe File Volume queried: C:\ FullSizeInformation
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_0058A5F4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_0059B8E0
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059DD72 VirtualQuery,GetSystemInfo, 2_2_0059DD72
Source: C:\msDriverSessionHost\chainProvider.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Thread delayed: delay time: 922337203685477
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Thread delayed: delay time: 922337203685477
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: grunge cheat softwsre 0.28.4.exe, 00000002.00000003.1629304420.0000000003534000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: e8RKyR4TEM.exe, Free_changer_fix.exe.0.dr Binary or memory string: eMrQSphGFsLXbDwLtHFo
Source: wscript.exe, 00000003.00000002.1662311225.000000000089F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: chainProvider.exe, 00000007.00000002.1699096850.000000001C4B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-1,s
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe API call chain: ExitProcess graph end node
Source: C:\msDriverSessionHost\chainProvider.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_005A866F
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A753D mov eax, dword ptr fs:[00000030h] 2_2_005A753D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005AB710 GetProcessHeap, 2_2_005AB710
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Process token adjusted: Debug Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process token adjusted: Debug Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059F063 SetUnhandledExceptionFilter, 2_2_0059F063
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0059F22B
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_005A866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_005A866F
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0059EF05
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe "C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe" Jump to behavior
Source: C:\Users\user\Desktop\e8RKyR4TEM.exe Process created: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe "C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\msDriverSessionHost\chainProvider.exe "C:\msDriverSessionHost\chainProvider.exe" Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\conhost.exe'" /rl HIGHEST /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059ED5B cpuid 2_2_0059ED5B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: GetLocaleInfoW,GetNumberFormatW, 2_2_0059A63C
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\msDriverSessionHost\chainProvider.exe Queries volume information: C:\msDriverSessionHost\chainProvider.exe VolumeInformation Jump to behavior
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Queries volume information: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe VolumeInformation
Source: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe Queries volume information: C:\msDriverSessionHost\cwxyiNpEtlalxKGPbFFnB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0059D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 2_2_0059D5D4
Source: C:\Users\user\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe Code function: 2_2_0058ACF5 GetVersionExW, 2_2_0058ACF5
Source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\schtasks.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000019.00000002.1797847188.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1797997676.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1797997676.0000000002705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1694520056.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1797847188.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1694520056.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chainProvider.exe PID: 7232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cwxyiNpEtlalxKGPbFFnB.exe PID: 7500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cwxyiNpEtlalxKGPbFFnB.exe PID: 7544, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: e8RKyR4TEM.exe, type: SAMPLE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Free_changer_fix.exe.1ab38f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1618643952.000001AB38F02000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1619227029.0000000002666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1614105143.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: e8RKyR4TEM.exe, type: SAMPLE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000019.00000002.1797847188.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1797997676.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1797997676.0000000002705000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1694520056.00000000034B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1797847188.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1694520056.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chainProvider.exe PID: 7232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cwxyiNpEtlalxKGPbFFnB.exe PID: 7500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cwxyiNpEtlalxKGPbFFnB.exe PID: 7544, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: e8RKyR4TEM.exe, type: SAMPLE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.Free_changer_fix.exe.1ab38f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1618643952.000001AB38F02000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1619227029.0000000002666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1614105143.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Free_changer_fix.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: e8RKyR4TEM.exe, type: SAMPLE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.409294.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.e8RKyR4TEM.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1438233 Sample: e8RKyR4TEM.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for dropped file 2->66 68 15 other signatures 2->68 11 e8RKyR4TEM.exe 3 2->11         started        14 cwxyiNpEtlalxKGPbFFnB.exe 2->14         started        17 cwxyiNpEtlalxKGPbFFnB.exe 2->17         started        process3 file4 50 C:\Users\...\grunge cheat softwsre 0.28.4.exe, PE32 11->50 dropped 52 C:\Users\user\...\Free_changer_fix.exe, PE32+ 11->52 dropped 19 grunge cheat softwsre 0.28.4.exe 3 6 11->19         started        22 Free_changer_fix.exe 2 11->22         started        74 Multi AV Scanner detection for dropped file 14->74 signatures5 process6 file7 46 C:\msDriverSessionHost\chainProvider.exe, PE32 19->46 dropped 48 C:\...\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe, data 19->48 dropped 25 wscript.exe 1 19->25         started        70 Multi AV Scanner detection for dropped file 22->70 signatures8 process9 signatures10 72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->72 28 cmd.exe 1 25->28         started        process11 process12 30 chainProvider.exe 3 36 28->30         started        34 conhost.exe 28->34         started        file13 54 C:\...\cwxyiNpEtlalxKGPbFFnB.exe, PE32 30->54 dropped 56 C:\msDriverSessionHost\RuntimeBroker.exe, PE32 30->56 dropped 58 C:\Windows\...\cwxyiNpEtlalxKGPbFFnB.exe, PE32 30->58 dropped 60 13 other malicious files 30->60 dropped 76 Antivirus detection for dropped file 30->76 78 Multi AV Scanner detection for dropped file 30->78 80 Machine Learning detection for dropped file 30->80 82 3 other signatures 30->82 36 schtasks.exe 30->36         started        38 schtasks.exe 30->38         started        40 schtasks.exe 30->40         started        42 27 other processes 30->42 signatures14 process15 process16 44 Conhost.exe 36->44         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://a0944507.xsph.ru/@==gbJBzYuFDT false
    		high