Windows Analysis Report
hDKY4f6gEA.exe

Overview

General Information

Sample name: hDKY4f6gEA.exe
renamed because original name is a hash value
Original sample name: 3e40d7f0c47407447c1fa9be4ec0f714.exe
Analysis ID: 1523783
MD5: 3e40d7f0c47407447c1fa9be4ec0f714
SHA1: f8633060aa590db85a70e9d1ae220b220ed03a98
SHA256: 497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files to the user root directory
Drops PE files with benign system names
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: hDKY4f6gEA.exe Avira: detected
Source: C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender\RCXA207.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Microsoft\MapData\RCXB47C.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Microsoft\OneDrive\RCXC626.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft Office\RCXB219.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Internet Explorer\services.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Uninstall Information\RCXB8D3.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmp Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Uninstall Information\wininit.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: 00000014.00000002.1780644862.0000000012B81000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"3\":\"-\",\"x\":\"`\",\"B\":\".\",\"L\":\",\",\"6\":\"$\",\"n\":\"*\",\"9\":\"%\",\"M\":\"~\",\"o\":\"&\",\"I\":\";\",\"y\":\"^\",\"Z\":\"_\",\"g\":\")\",\"A\":\"#\",\"C\":\" \",\"X\":\"(\",\"i\":\"!\",\"H\":\"|\",\"0\":\"@\",\"m\":\"<\",\"J\":\">\"}", "PCRT": "{\"F\":\".\",\"J\":\"|\",\"o\":\"%\",\"C\":\"@\",\"1\":\"`\",\"U\":\"$\",\"l\":\"!\",\"3\":\"<\",\"a\":\"-\",\"V\":\",\",\"m\":\"~\",\"e\":\"*\",\"Y\":\"#\",\"S\":\">\",\"d\":\";\",\"0\":\")\",\"k\":\"^\",\"Q\":\" \",\"E\":\"(\",\"Z\":\"&\",\"W\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jEyOhPUj2jRHWsBrfp7T", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
Source: C:\Program Files (x86)\Internet Explorer\services.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Internet Explorer\services.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe ReversingLabs: Detection: 84%
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe ReversingLabs: Detection: 84%
Source: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files\Uninstall Information\wininit.exe ReversingLabs: Detection: 84%
Source: C:\Program Files\Uninstall Information\wininit.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Virustotal: Detection: 67% Perma Link
Source: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe Virustotal: Detection: 67% Perma Link
Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exe ReversingLabs: Detection: 84%
Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exe Virustotal: Detection: 67% Perma Link
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe ReversingLabs: Detection: 84%
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Virustotal: Detection: 67% Perma Link
Source: hDKY4f6gEA.exe ReversingLabs: Detection: 84%
Source: hDKY4f6gEA.exe Virustotal: Detection: 67% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmp Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\RCXA207.tmp Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\MapData\RCXB47C.tmp Joe Sandbox ML: detected
Source: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmp Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\OneDrive\RCXC626.tmp Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\RCXB219.tmp Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Internet Explorer\services.exe Joe Sandbox ML: detected
Source: C:\Program Files\Uninstall Information\RCXB8D3.tmp Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmp Joe Sandbox ML: detected
Source: C:\Program Files\Uninstall Information\wininit.exe Joe Sandbox ML: detected
Source: hDKY4f6gEA.exe Joe Sandbox ML: detected
Source: hDKY4f6gEA.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\wininit.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\56085415360792 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\RCXA207.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\RCXB8D3.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\RCXC626.tmp Jump to behavior
Source: hDKY4f6gEA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File opened: C:\Users\user\AppData Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49741 -> 141.8.192.103:80
Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hDKY4f6gEA.exe, 00000000.00000002.2004400234.000000001C7B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: hDKY4f6gEA.exe, 00000000.00000002.2004400234.000000001C7B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm2
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\System.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\System.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\27d1bcfc3c54e0 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\RCX9C96.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\RCXAD07.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8B8BF2 0_2_00007FFD9B8B8BF2
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8A34C5 0_2_00007FFD9B8A34C5
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Code function: 17_2_00007FFD9B8834C5 17_2_00007FFD9B8834C5
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Code function: 20_2_00007FFD9B8834C5 20_2_00007FFD9B8834C5
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Code function: 21_2_00007FFD9B8B34C5 21_2_00007FFD9B8B34C5
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Code function: 24_2_00007FFD9B8A34C5 24_2_00007FFD9B8A34C5
Source: hDKY4f6gEA.exe, 00000000.00000002.1923149196.0000000003180000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDisableUAC.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001593529.000000001BC90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFileSearcher.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2003824745.000000001C626000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2003824745.000000001C626000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001695665.000000001BCC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001830299.000000001BCF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001620032.000000001BCA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000000.1646003846.0000000000F92000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1917323582.0000000003160000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename8Em.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2004146373.000000001C6C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1907175697.0000000003150000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2003030686.000000001C310000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUSBSpread.dll4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001662201.000000001BCB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMessageOnStart.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001735131.000000001BCD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2003068454.000000001C320000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename05JTO83N2fiTkzY7mAmsYr6I.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKpWuOxD.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUzTvyhlVVu40TT576Y.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2003217197.000000001C530000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.2001776395.000000001BCE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe, 00000000.00000002.1920485409.0000000003170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCrashLogger.dclib4 vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe Binary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
Source: hDKY4f6gEA.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: hDKY4f6gEA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IfYiMMRuvSUMKHkp.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: smss.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IfYiMMRuvSUMKHkp.exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IfYiMMRuvSUMKHkp.exe1.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hDKY4f6gEA.exe, Ihuc0rACJiWN9h9ly0f.cs Cryptographic APIs: 'TransformBlock'
Source: hDKY4f6gEA.exe, Ihuc0rACJiWN9h9ly0f.cs Cryptographic APIs: 'TransformFinalBlock'
Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.cs Cryptographic APIs: 'CreateDecryptor'
Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@26/84@0/0
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\windowspowershell\dllhost.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Videos\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Mutant created: NULL
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\93ec258400f012aeafba1dd2a819020626051bef
Source: hDKY4f6gEA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hDKY4f6gEA.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hDKY4f6gEA.exe ReversingLabs: Detection: 84%
Source: hDKY4f6gEA.exe Virustotal: Detection: 67%
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File read: C:\Users\user\Desktop\hDKY4f6gEA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hDKY4f6gEA.exe "C:\Users\user\Desktop\hDKY4f6gEA.exe"
Source: unknown Process created: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe "C:\Program Files (x86)\windowspowershell\dllhost.exe"
Source: unknown Process created: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe "C:\Program Files (x86)\windowspowershell\dllhost.exe"
Source: unknown Process created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe "C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe"
Source: unknown Process created: C:\Recovery\IfYiMMRuvSUMKHkp.exe C:\Recovery\IfYiMMRuvSUMKHkp.exe
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: twext.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: version.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Recovery\IfYiMMRuvSUMKHkp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\wininit.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\56085415360792 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\047efad0ccc033 Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Defender\RCXA207.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Uninstall Information\RCXB8D3.tmp Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Directory created: C:\Program Files\Microsoft\OneDrive\RCXC626.tmp Jump to behavior
Source: hDKY4f6gEA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: hDKY4f6gEA.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: hDKY4f6gEA.exe Static file information: File size 1501696 > 1048576
Source: hDKY4f6gEA.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16b000
Source: hDKY4f6gEA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: hDKY4f6gEA.exe, HakdnASGIETu6IvB7aa.cs .Net Code: x6uscy7Z82 System.AppDomain.Load(byte[])
Source: hDKY4f6gEA.exe, HakdnASGIETu6IvB7aa.cs .Net Code: x6uscy7Z82 System.Reflection.Assembly.Load(byte[])
Source: hDKY4f6gEA.exe, HakdnASGIETu6IvB7aa.cs .Net Code: x6uscy7Z82
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C3361 push ds; retf 0_2_00007FFD9B8C3362
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C1FD3 push ds; retf 0_2_00007FFD9B8C1FD4
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C331A push ds; retf 0_2_00007FFD9B8C331B
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C2706 push ds; retf 0_2_00007FFD9B8C2707
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C3753 push ds; retf 0_2_00007FFD9B8C3754
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C96D7 push ds; retf 0_2_00007FFD9B8C96D8
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BAE5A push ds; retf 0_2_00007FFD9B8BAE5B
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BD9A1 push ds; retf 0_2_00007FFD9B8BD9A2
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8C80F3 push ebx; ret 0_2_00007FFD9B8C816A
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BF111 push ds; retf 0_2_00007FFD9B8BF112
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BED1F push ds; retf 0_2_00007FFD9B8BED20
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BECD8 push ds; retf 0_2_00007FFD9B8BECD9
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Code function: 0_2_00007FFD9B8BE0C6 push ds; retf 0_2_00007FFD9B8BE0C7
Source: hDKY4f6gEA.exe Static PE information: section name: .text entropy: 7.231943205872588
Source: IfYiMMRuvSUMKHkp.exe.0.dr Static PE information: section name: .text entropy: 7.231943205872588
Source: smss.exe.0.dr Static PE information: section name: .text entropy: 7.231943205872588
Source: IfYiMMRuvSUMKHkp.exe0.0.dr Static PE information: section name: .text entropy: 7.231943205872588
Source: IfYiMMRuvSUMKHkp.exe1.0.dr Static PE information: section name: .text entropy: 7.231943205872588
Source: hDKY4f6gEA.exe, Nthi6vEaHQBi9jIOyl.cs High entropy of concatenated method names: 'oFOXh9g2W', 'KrcQGTYlnKHOS2WtnY', 'kB3XwMLZoSKpwaCug8', 'MWIr2syujjed9BM27x', 'YkeggTKCmj3sOnje5M', 'EhuT9ETWgDWhmtFRq5', 'HAp0CR3xj', 'XZJscanKB', 'TZOfDF38m', 'H4T5kbsxf'
Source: hDKY4f6gEA.exe, tOjDPaFn3IyDfA3bmv5.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'NugfJObnS48yhgYFif4', 'FuAiR3bL4S4eqWLQdA6', 'd1bDDubygd5nxcaJhrp', 'el2neObYnMasEqvfTji', 'T2TpJrbKL40dABVPNpZ', 'g1ku0xbTyigLPPh5rRw'
Source: hDKY4f6gEA.exe, DR8bYKSSTifcdajFkSk.cs High entropy of concatenated method names: 'HEU0KeABk6', 'cJj0WXV1ip', 'whu0NlZwUh', 'BWq08qtjZt', 'vEp0Y6NtSa', 'TVb06fyAmc', 'GZDTIBowHggP2QIRuXv', 'RotJdaoJ4hwLHGkuWxM', 'Hsdu0EoeZ0uTU7b7vgw', 'RwGDkBo8liquBV4lmXq'
Source: hDKY4f6gEA.exe, GRuWBZAY37APXsTQXlT.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: hDKY4f6gEA.exe, N98h1C8gV3yfCFjnmbb.cs High entropy of concatenated method names: 'VPEQuNoURd', 'M9DQCuPJkJwATlN9JcQ', 'lQTlmFP4sv6gvfoxiCq', 'IL3bHJP8u4CV2g1g6JR', 'dxgCPhPw64nKQdHeO4H', 'G9CPkswdkl', 'a23PFC6fQX', 'jehPyP1VlE', 'hJAPMW0wPD', 'NiqPwR1YTk'
Source: hDKY4f6gEA.exe, CG5mpbgKduPryAPQqp7.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'B03jttaGiN', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: hDKY4f6gEA.exe, u7WmFH86HmtKYe8liWH.cs High entropy of concatenated method names: 'onQDfiXT0d', 'QY3D5MoAZ3', 'hhgDHUkoD4', 'vFw2HLX8kH8S61Fmw26', 'wAnSdkXwUGMvxyUxnuO', 'BJN02bXFAyS5me4x6vt', 'Efn7n6XedS6Ubtg8VUS', 'hmUPxqXJMnJRJhSwi5s', 'jLqVYjX4jKNZBObwQg7', 'oYpitlXNbI4Cw2DcyDy'
Source: hDKY4f6gEA.exe, EMbOvT83n2RLffdvCrh.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: hDKY4f6gEA.exe, w4b9NYgcxnwKsdmdhsT.cs High entropy of concatenated method names: 'lPiZYdQIHR', 'uDaZ63tLJ5', 'JJ9Z1ylU7h', 'uSoZqXMBLt', 'tebZ2mU683', 'KmNZeeCRcn', 'WDembkUkEgAhaqOsYnJ', 'rfCUkNUZOJU0DxH02uY', 'RfwcDwUAdp3NUXmnBvF', 'm1O3ptUW150OXx96PsH'
Source: hDKY4f6gEA.exe, YcBwlDFbSpZXhVOLl9B.cs High entropy of concatenated method names: 'd9v0Uv0nVV', 'Pv60tOJOKG', 'iGP0ZxkLCI', 'CmYqbSx5OxP9KHf5Lyc', 'FQcyCyxuBWEww1dGyQl', 'hvyvLJx6lvqYJThfPME', 'RUnjhExx0vIP3UyUjT1', 'Dy6gK7xoxaTNRZbJ7Id', 'zlUZ40xBoMjL4k48tgw', 'mx9UcdxHkNDcEkgv0mq'
Source: hDKY4f6gEA.exe, erFdQGZD4TsRW9gFFa.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'yMbxOJLx5', 'Wh9DvRO4P73XJi2xVSL', 'iJqNr2ONOVKMxYPhfYk', 'sYqNjmOIJ516ZwxvuKL', 'pCum7YOG384BcavO4H0', 'mU6qXEOmUfrXrYwpeur'
Source: hDKY4f6gEA.exe, QwqQDnAV15R35WSInl5.cs High entropy of concatenated method names: 'IGD', 'CV5', 'zPgAZTH1qd', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: hDKY4f6gEA.exe, ttsbb7gqltSbVV5YgNr.cs High entropy of concatenated method names: 'slrjJf44Ek', 'kZclcWUdokQmqGKSG0u', 'FpPDnrUhFUfup7atkcy', 'gihxVKURnvYBKNqKtii', 'MGPshsUadcBG1vOYaEH', 'MCqZYaU2yt4qlTVx85Q', 'NVSfEgUzS0qkieqZeKe'
Source: hDKY4f6gEA.exe, Fbwxg58vGLxBWGid20q.cs High entropy of concatenated method names: 'gPDpj4oxA2', 'G9UpVQ3RgZ', 'aoppXe7wNj', 'LxspcYsBqo', 'eqbppA8bRG', 'DYVp9vl6y0', 'SPapuwWMI6', 'lWQpaUhCr5', 'nt5p71SpWq', 'pYJpi66FA6'
Source: hDKY4f6gEA.exe, nu962anJoQHbLOfQD2a.cs High entropy of concatenated method names: 'dSmmMYdXxU', 'Jptmwo4Rvo', 'lXOmSOJiyD', 'OPeLncIHqEQhl6GAPQJ', 'K9LA0DIoeutNnt9B7V0', 'BmGE0GIBrVjq71boW2u', 'tDX9qNIFuHAJhYpCZ6t', 'Ga3mpG8nhY', 'Rc2m9E5bDY', 'gIamuruO9O'
Source: hDKY4f6gEA.exe, DNl5hhWvwtXMeFMccZ.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'PEgGa0pFYdabmyBATW0', 'CXpQvvpeefyKLgtpZG5', 'mOYnJ5p8Xn1XJjteWOS', 'TOhVocpwDalpyoncaiI', 'Pdr8FNpJS8JjKLy1VFp', 'DrT3mVp4nDlt4SQcxsQ'
Source: hDKY4f6gEA.exe, eNdffZSqrZ1vPP6DE14.cs High entropy of concatenated method names: 'dA05GtDeYX', 'ruER9h8ac7WFVDUc0hQ', 've6npI82leBFgyIgioi', 'IVB5aX8RjShcgIW4l72', 'WXRCxL8dyk7uy7ZV45u', 'LCG1VQ8zv8qYwcE1EPX', 'Dsgsi4w1WirJdlT9OOn', 'vrGZZNw0VcZ1NjrH0HK', 'c41hgJwOlsAyRB6RsG4', 'jOT2BZwi6Ho8s8Cckx7'
Source: hDKY4f6gEA.exe, sXEZHYF5a7FMqPJNSRh.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'v3fWr75IRybGfpa5Yok', 'tvLHRU5GsOPY8GFKqQ6', 'PnKlOR5mfKXCu9JQ6wH', 'mYEEG15jGQFuVI1a4ct', 'HS66fT5CGMPVjqJME9L', 'qaegXV5PMy8Z6jXIsh0'
Source: hDKY4f6gEA.exe, Q0hh4UgoC8JiA9ZTIx0.cs High entropy of concatenated method names: 'jPajfHHb7J', 'IaHj5fXoOK', 'XmKjH6otDm', 'jJvjI5Dhc0', 'kAgjmNRyMq', 'mGOjnSOUiI', 'BgfjPoM6Ye', 'rc3jrAcupw', 'xEUjQZETdA', 'v8ljDdD2ll'
Source: hDKY4f6gEA.exe, IAl9pFA0uL6JFCY0tNQ.cs High entropy of concatenated method names: 'N7hAEWN6gH', 'vohA4Jfcqv', 'a3LAdYqkKx', 'OBwAUYy4H0', 'OxUAtUxISj', 'gRp7N8rdI2epy4HWHF5', 'a2pNgdrarc1SVcAogQH', 'rGqww6r2Y4cmSHAa5qH', 'OKkCSxrzMnbeaU4V3Vg', 'I1U8fID1h3bhQu5FfyR'
Source: hDKY4f6gEA.exe, DYW6Y27IdxkU2ocPLu.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'llWArvpMrHd24fXyXFm', 'Al7kl9p9Sq4NbYWFTGd', 'j56HFrpnTl59ZCZY3C3', 'BkwS63pLrUED9gvuW5P', 'klfkBRpyweMcYN943B6', 'fCCeYopYYrZdUjk6BR3'
Source: hDKY4f6gEA.exe, ATPg1tFffqP74chlQGZ.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'DMm1jZfAg3FuGL1PvRE', 'nK7yTofkDv7PSM0XXFe', 'x4KkkyfW2NYvleKQoZJ', 'ehcYb8flv1LLd12MNDQ', 'beLFtffsTN0LFndJn0Z', 'Gik42rf7gFnSyChPbCS'
Source: hDKY4f6gEA.exe, D0IokQF2aboLXjqjt3T.cs High entropy of concatenated method names: 'GrkOeuAqKW', 'RyywCQ6Ux48BE9Uo36J', 'WCuvPJ6qikCoAwCgCmx', 'FQphJE6ToJS8nEqQDcQ', 'cE8F7e6vjaQlnPtGYxI', 'm7NLrc6cLv24MRpNTE5', '_3Xh', 'YZ8', '_123', 'G9C'
Source: hDKY4f6gEA.exe, ev7mNBFLeCtSaeCVbqX.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'E3r1NIuv0YhT4o05gPZ', 'xJawPEuUHJ5kgWRaXhW', 'RGwBWXuqNuWnDvexgM2', 'M0Y1O5uc1A16sFhxMEW', 'GRaejouroNVnUxCYRLk', 'kX3CXXuDkJTcshQ1dkG'
Source: hDKY4f6gEA.exe, CuvuK1nWjUJ0rL6S97k.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'rBCPrHE0RU', 'XR0pCCoafL', 'nmQPQ1ptl6', 'YaFp1yMGc0', 'pXI8ikjqoygHAr7IV3K', 'BLcaatjcO4IKy5727j1', 'aX6Dv7jv9t8GKtEY1El'
Source: hDKY4f6gEA.exe, B0CmovnvIB8GemAurYP.cs High entropy of concatenated method names: 'G1Bnp9CUnauflNyyHiS', 'AXH6sFCqBvrSXOFwm7N', 'bDvsJpCTLe4V45IApkm', 'Kup8dXCvn7BSj7DuvIP', 'IWF', 'j72', 'YU3PurPqHs', 'wZUPa04qXw', 'j4z', 'xYSP7IdW4d'
Source: hDKY4f6gEA.exe, rEKSLS8erJaOsroDZsf.cs High entropy of concatenated method names: 'Y35DMWftne', 'q3MDwE2DCL', 'IP5DSN4VhQ', 'Gb5Dh5OngP', 'dv0DvxJ07r', 'uvRt2tXTYuBuXIZXOW1', 'V99g1QXvOCS21eu5p7E', 'dv6Vf8XYSiQ6sOBRCGD', 'CKKOJsXKWVZZ9OoRJDV', 'uj6AekXUgur5Un31uqf'
Source: hDKY4f6gEA.exe, yR892onzBPSjlEcoBIL.cs High entropy of concatenated method names: 'DMxPbSYakG', 'TnBPC8BvVs', 'j21PGdl2iQ', 'B19qKKCDYgb12q1bCk1', 'M62ePrCVBCC0iDjH0ED', 'C4KJPPCcfTl26ikXyqt', 'yGTapUCrKILtAusgQip', 'sZswTiCgeXl180vYbr4', 'Tdifb2CS6uQ0L5x6bYT', 'xL0oyRCZoch7jrqLWS6'
Source: hDKY4f6gEA.exe, T8icfaSIEdEoTDEhM6F.cs High entropy of concatenated method names: 'Nybf4m1j40', 'GJRfd2jZZ7', 'dm2fULmJW1', 'qskftPRwHV', 'PVCfZepJ2D', 'BT5U0xe119rjZSutdpu', 'djnPk9e04oLGLy3kAb0', 'nc5KKbF2OpgoJ8QBAel', 'XhSnXXFzbRmPLYBNQFE', 'nnODsQeOHkYW1JSNkkS'
Source: hDKY4f6gEA.exe, uaNIfegkcJ5SRHShL9Z.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: hDKY4f6gEA.exe, fmq2SIgYcbRYoslFQbI.cs High entropy of concatenated method names: 'Nk0ZlW668g', 'wKGZxXaDSN', 'COmZ3ELBsX', 'zoWZTJnw8R', 'mmoZLYk2Na', 'nW5IkEUMwq3sW7dAak8', 'hrNHiGUXAB5ZwvrmPsw', 'lnbwTrUQZE8kw9d0mNP', 'eNYJUnU9NLs2CEIaMtM', 'q1Cu1xUnItDNG2AHvgK'
Source: hDKY4f6gEA.exe, rQ5A7X5o8PPfDVwQMV.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'gQZmn4pbrWkkqoNlG6D', 'OG9PTTp3dN4BIH34AHD', 's7qFFmpfj3PcZfb8n7D', 'XONhYypuTO9J922i98P', 'eNmld1p6ZUB4hA1S4ZK', 'v2AlFVp580fhjWay5yb'
Source: hDKY4f6gEA.exe, Mc19jqShnKExfjDOVQp.cs High entropy of concatenated method names: 'Khcsz607tt', 'XGdfJ4asqx', 'VIKfOLffJp', 'G84f0REBXm', 'ANXfsxjjBq', 'FihffSUB8q', 'BWtf5ebbLO', 'r3sfHGHxY1', 'n2QfI4mUHG', 'pBnfmwFRKl'
Source: hDKY4f6gEA.exe, i70r0dSLQjY9j1LIR5k.cs High entropy of concatenated method names: 'bB9feou2SU', 'khSfBD9Hin', 'bGmfzk8LUu', 'NxC5JfdRi8', 'wDX5O61Ru0', 'tKI50T7qbT', 'HWx5sHQ9Ys', 'GVk5fr4ljJ', 'dnt55gVaCQ', 'vvrydEehyniMdDlAkdO'
Source: hDKY4f6gEA.exe, TSOWd7FE82ULVFCU5iP.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'HxqFA1bhbLW3FPM4eKB', 'eaxnX3bRbxn5kIsT2O6', 'udiZoCbd15fZkFhYmkI', 'DeIQn6baal0gp2bRMCb', 'HYtRdVb251Cx91Ioyyw', 'Ix6S4CbzpTnDlMGAUHu'
Source: hDKY4f6gEA.exe, eMKrfZF7GgyuipBVQth.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'EmPPYK5W3CtaW4ZlnC0', 'FyVF3y5lACi9Wt1Jp5F', 'rcMSjA5sxEbEwegZnQ1', 'W0VOfq57QmO5cFMjWXW', 'Rdyh3X5tHpM4MjOl291', 'KOqL9F5hR4PlrUo6ppa'
Source: hDKY4f6gEA.exe, Ragd76UlguC5AMsRjF.cs High entropy of concatenated method names: 'i93wauGIX', 'NEtSg4ErH', 'f5RhQ61AN', 'CPt5ty0qy8ZXmGMLWSI', 'HDFvcj0vaGFjutA37fu', 'pkuhx20UFVQIFDdtQHK', 'j45Q800cGISL9c5towH', 'mQi9QH0reKt3NP6NqXK', 'CBNdyU0DJM1v3VyLLus', 'la7NBa0VngVyRUZIHGK'
Source: hDKY4f6gEA.exe, cnPmGGFqXsdIn95LGrg.cs High entropy of concatenated method names: 'by0O60LPsL', 'BnARO26C5oqfdLkYQ9Q', 'DvcoT46PabgJx4stJL1', 'sw8ER56mwYY5iwD0NFf', 'FYNBeB6jemIiBLl7XSa', 'oHkQuf6XPHQUbWgRhL7', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: hDKY4f6gEA.exe, I6EHLPgGiUTVdQMF3UM.cs High entropy of concatenated method names: 'KpMZEj047V', 'L4BZ40UgyG', 'NlaD6evtGqTMBBtDOI8', 'L3lcTgvh4pJ3A3OPGOu', 'RN2bpbvRvoLHXKFNtvd', 'o4KeHtvdvVIRC6ENBVa', 'O8xmWRvaEYXAoax7Q4V', 'tJNoVsv2orYN2qGwroC', 'GZVkhXvztqQAVTDdyen', 'RrZkcDU19HPIolhRSut'
Source: hDKY4f6gEA.exe, vCEmreS2EKtEKD22mUZ.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'Exq5wNPutn', 'qoQ5S9MLo8', 'vTX5hXiEc2', 'khs5vCuqSe', 'pAT5lt5w6P', 'yvVAQcwuuIu0aTAV8q7', 'cBWYNQw6YKn3qiWtPBx', 'Ajavlgw33oUAluBfuRP'
Source: hDKY4f6gEA.exe, HakdnASGIETu6IvB7aa.cs High entropy of concatenated method names: 'bv5sylpYmY', 'ofhsMqTIcB', 'cFosw7IXGI', 'xDysS6PL45', 'uxmshUUUVG', 'Kv8svLZcal', 'TWOslDNjWI', 'uyVgxLBCQGnI9Yu1SWN', 'YSqvZWBmeDDJkRTIWIL', 'GaNv9uBjUOA52b3VrFA'
Source: hDKY4f6gEA.exe, kJEYge8hhIMJEhcWlSE.cs High entropy of concatenated method names: '_7zt', 'tHwDireaei', 'nTfDEwWyp1', 'jKlD4O3qBD', 'CA1DdxXClT', 'ie7DUHSTVC', 'tSYDt9vf1i', 'arM1A9XmyWcgQy06UkC', 'Ck5VISXjhSotbik8vq1', 'C0eAsKXILM7wPYo7bgX'
Source: hDKY4f6gEA.exe, UDb6b8gb9aCIVEERGxg.cs High entropy of concatenated method names: 'xyTjbGU4xD', 'RdnjCSmSmx', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'mSfjGMxMtS', '_5f9', 'A6Y'
Source: hDKY4f6gEA.exe, LNm3lu8dYfNwWbACMXh.cs High entropy of concatenated method names: 'jbsQSBLSLP', 'AoiQhdxkPm', 'L2LQv0irwC', 'EsaQljXQau', 'SZuQxxVYqp', 'UNy71uP2O10SWNbphPE', 'faTgV7PzE6If33fUZj0', 'FDuJnDPdvWWYdZSOlJZ', 'cjhWyFPaSCrx72OuPWB', 'qbrOfqX1jZu78CI9RJA'
Source: hDKY4f6gEA.exe, SCFlrnALR3Njj0HNX2W.cs High entropy of concatenated method names: 'cBkVnJ1npe', 'qSSVPOUVXG', 'NPgVr1yGmo', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'eUTVQJIjrY'
Source: hDKY4f6gEA.exe, OhecA6SlOq8S4g2dunG.cs High entropy of concatenated method names: 'jSJsqM50QS', 'yVP6KyHi3XufSt7Einv', 'HOZdQEHE7PqQLKIkMVT', 'OtNGxPH0tTj64CvJGGb', 'GDTHNPHOkPXZJuvy5ZQ', 'rlg2x4HpG0HsDaKVtkm', 'NgPCWkHbxjHvVM0F2V2', 'LXVFSiH3GUTKxr69E7H', 'zfv4jnHfJgxuXB3g1Bc', 'Ot0aJ8Hunoh6LktukIT'
Source: hDKY4f6gEA.exe, sqPIwa8G0g4FnymHgdM.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: hDKY4f6gEA.exe, wglXeXFd55BPMR425Ej.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'kC6qD53Q8MHwSNIp71h', 'D2S9jU3MniVsqEglND4', 'z7jaIw396faSYAjCwhX', 'IWyVOE3n3iabShkQtmb', 'iiovRm3LDufRoqqoNKA', 'iADvN33yj4gcuceDM0X'
Source: hDKY4f6gEA.exe, tpHMHsFFu0KV8SrDdUp.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'hx35dVb44qt04fyC6o7', 'AfoXI5bNYtHfZlgKq5m', 'Q1DAqPbI6ma2UNBb9gp', 'vh3lxDbG3NV6GmkyfTk', 'l3DgKebmlROcTitvtSN', 'MrwAslbj41dGMFsRZjP'
Source: hDKY4f6gEA.exe, rHu4YqAZew0m2QELYHi.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'hyTVjSejob', 'EJuVATnLaQ', 'UwRVVwtd8O', 'EwZVbXxNEn', 'UUZVC6LKAn', 'xnGVG3ZudM', 'reSIBWVUfplQRIaQu01'
Source: hDKY4f6gEA.exe, vxPmHPABc3iibRpcpol.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'sSeGn0WYX0', 'RL6GPDNZQ4', 'd1aGrB7JYS', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: hDKY4f6gEA.exe, mDfsmMi88VBKbbQkia.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'dECaHpiRJSZ8Gko8tyA', 'krOwiAidSPUhfMyctqx', 'mD0R0viadixFx3T8j3Z', 'HiY930i2tu2iwWsa5Vk', 'hbRYAHizsfUZRnVdtT5', 'jLQ2yTE18hXxXMWs53l'
Source: hDKY4f6gEA.exe, b0yBDWIk3ZrJ3ocCB1.cs High entropy of concatenated method names: 'XJaZQtfDp', 'VYFjjTvu9', 'yNQAxu0J0', 'iPmVl6kdx', 'hZgbt2vow', 'ClmC2Lgfk', 'M39GaxdiM', 'wIlNvt0f0v2JTSymJl7', 'CQpFOX0uG1tu9G3lcnT', 'SKlDZq06jt8ThShxlEj'
Source: hDKY4f6gEA.exe, TBC6H0FyEjdvlrl2Z0n.cs High entropy of concatenated method names: 'dVR0OunxyK', 'pTh00L5uDY', 'fCH0s80pjF', 'PCo7Vk6ste4lEpAd0tl', 'U7vQsy67mI0Jw3abJRR', 'YBuyXD6WeLEoo09HK85', 'RMoJb76lWoaQPGM7EhJ', 'On4CDX6tyXMY9Mq9vxv', 'Eo7cfu6hQqHRpTVouLu', 'cs4Oe16R4KOKdhTMVb2'
Source: hDKY4f6gEA.exe, g0t9gA8wcfolpMOIoT8.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: hDKY4f6gEA.exe, GGbsptEf9UgBTIY9LDp.cs High entropy of concatenated method names: 'bqfFZOM8dD', 'sNlFjVhPFf', 'c44FA95bUT', 'GdLFVoqlh8', 'je7FbiWXZw', 'IhuFCbvRKI', 'UtFFGyC59K', 'gvhFkNanS2', 'GOPFFtEKZB', 'ltjFyhSRXR'
Source: hDKY4f6gEA.exe, kN6NgxAReN3VCJDQMJZ.cs High entropy of concatenated method names: 'KZiI6NgE2BXN5vg8Ni6', 'CWiy0Lgp6Wv5GFA0OhN', 'PGWsg0gOmcYlfsm0kSS', 'BcTlANgiOC3Jxv6CMQd', 'o5AVwlAJkK', 'WM4', '_499', 'bDFVSsUNeU', 'dTfVhGdRTN', 'KvOVvbfGl1'
Source: hDKY4f6gEA.exe, xiLlIn8Y8g7y1psXLIC.cs High entropy of concatenated method names: 'LadXMMFTbu', 'nS5XwPI2eC', 'S8hXSYAAVw', 'cgRXhoAfer', 'h2lXvZgUkC', 'vZHnV8Q4MmZhywkpFXS', 'DoVdIVQwusB5ClA8O4h', 'pXShtcQJWJKXI8OyUSt', 'B5NmGfQNbl3lBrG1O7P', 'myvEIrQIWGhPoUx9aYg'
Source: hDKY4f6gEA.exe, oCYLRKAa0o6XJ1EELhI.cs High entropy of concatenated method names: 'OqCGUgF4GT', '_1kO', '_9v4', '_294', 'ppOGtrPffR', 'euj', 'aHnGZqrGxG', 'TGmGjlXEX7', 'o87', 'kG9GAVOS7Q'
Source: hDKY4f6gEA.exe, fC6BAlnlcFbau6cip0g.cs High entropy of concatenated method names: 'OQ1mLRtQ9D', 'WIAmgIq0sB', 'xeYmoS4Xjj', 'F1MmR8vRlE', 'FZf56nIKqZGQNyvDYsG', 'gbF50uIT3GsFtMHLvFI', 'ktuNR5IvCfTeZMGQypb', 'k46adEIy9T59s1UCCIF', 'EE7aWSIYHXsWMdSJtZM', 'wmMcdFIUMW6x71S8vls'
Source: hDKY4f6gEA.exe, beRyTunj4cwffHtrJtd.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'Kdsp8guUm1', 'RZQPfNRRdg', 'I0UpoWqPbG', 'D9DU1QjB0QqAUKWQbWF', 'Tw1aJUjH9R1MLErxlqw', 'SDg7dVjFbaXBbPc6vNm', 'LqYOS0jea5Ke1HZMwU0', 'qLK5Hwj8XKbPvT0qqZ4'
Source: hDKY4f6gEA.exe, mTBeMHn864Gin8dmZGF.cs High entropy of concatenated method names: 'lE5IT3Cyop', 'WbfILl9FQX', 'wiqIgHHjqt', 'yf5Io48aFK', 'BkVIRKsEDx', 'MPOIKtAKV0', 'Qp6Za149wmWnpojd8a1', 'JcIFHu4QA8xyRKtrKyB', 'GfWPic4MYM5KBy2lHSB', 'FTP4kv4n4r8Nsccf7ux'
Source: hDKY4f6gEA.exe, oGdIsGnFZtRJqdtx8Db.cs High entropy of concatenated method names: 'rJ7IG4JJQb', 'VTRIkpfOvl', 'sY7IFHbqgN', 'cRYIybg4v8', 'LtIJJEJzg5PbUFMIrNl', 'B2DsSIJat5W2LmAxjD7', 'QBHfxuJ2qtrZGZbJB8k', 'FmFMgt417d2hlt6aUTc', 'F4jJ7740CUguu4mIUQP', 'KW2HCJ4OMHTiFkwY1QS'
Source: hDKY4f6gEA.exe, nDTYuJASVRf9XPt5nL2.cs High entropy of concatenated method names: 'OG5AmLmMgw', 'grmAna2U1Z', '_8r1', 'zp3APkODYs', 'X3rArq1h9o', 'B5KAQtVVDT', 'cfTADjFo7P', 'FHBZDArey3ChrBK6JZR', 'TP9tVlr8SEOZYUSQBwZ', 'pQyN1Qrw94gpWObF2YO'
Source: hDKY4f6gEA.exe, uyg0ywn0BNccbPVGT5Q.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'uNEy2ImBJ8SXWIqACMJ', 'xVJe4YmHwyyhmRFVrfA', 'pyIOKmmF8RrRbSdiZIE', 'vGObTame2yG7tOD0EUd'
Source: hDKY4f6gEA.exe, xLi9evSbNUxZDoftkPL.cs High entropy of concatenated method names: 'tjuIj4CV8S', 'qNc3YOJlJBsOadGCDbY', 'JaVgLpJk9EfwG5gUFfc', 'ec8vs2JWQhRFrt4lsEv', 'Q8Vy1EJsltTbp5BeZBc', 'SXC06VJ7ENQHo1dISRh', 'A9kI7oxJn1', 'CbgIiTvFWH', 'b63IErsDXX', 'vKcI4MnePI'
Source: hDKY4f6gEA.exe, kuiFfhxPF6DMyW8G0s.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'b3M1cPO5SraAffJ1o6n', 'sJHUuoOxjog2maq96kI', 'jJ1LV1Oos6Eb1R1GSST', 'J8beNiOBZTlBQl3Yngw', 'DdGoifOHTnjdyQ6RtGe', 'E5gnGaOFmifQaHh4cjr'
Source: hDKY4f6gEA.exe, Xo6f8XFWFvNo9mZ4Gsd.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'XxysLl5ysC6KQ0XboWT', 'Cm1RHk5YF6Tu0o4dPBm', 'VmasSO5KPE175d640Qy', 'Xi6iOY5TMNtUbvhw6aW', 'TQnVOa5vbKTj7meDDwX', 'jniBP75UhqlwJL89Wjd'
Source: hDKY4f6gEA.exe, OWy0ukgnnx5ElSyrkqQ.cs High entropy of concatenated method names: 'eRRBk3YmafyXXdBfByD', 'JstJe4YjVj7yJADnw5g', 'lcb4meYINWaMLopnqbX', 'r1uY0uYG5lgeHSHvyWI', 'U7MEZGOPoB', 'XR0cTRYXu3vNuyWCGtZ', 'xWmmiUYQSLkpO3hSw4w', 'H7fW49YCQJYGuU6iswg', 'KO2eAyYPnUMmemY6G08', 'nc6QVSYMW0lMttNy2Tc'
Source: hDKY4f6gEA.exe, y2bOlDzcWKvVSEd4yg.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'BfQhI9birURdRRFP6Zp', 'otWBqcbELCpIJHhTPhw', 'S29niKbp2TDIxXVLJ0t', 'OUfFrQbbZSHDgelafBx', 'vmDo3Jb3mARld6D8JbX', 'hwXINubfoLtPnbmL2Mp'
Source: hDKY4f6gEA.exe, yk94HsFjn7oD3UuddoB.cs High entropy of concatenated method names: 'hr20rEioYF', 'Ukh0QJIus0', 'qFcnbY5xZPI6xYqEoQc', 'mlIaOF56tfD7fCg9C3W', 'vLxaIv55k9ERHmVn7am', 'LAFW2G5oOv6OQvBIAAA', 'ppyZRB5BE6J6Qwb6qDn', 'r6ITOT5HrdnaE5e1B69', 'w26JAf5FkH8xDdKruOt', 'tCwEK65e5D2KmSWd7Nr'
Source: hDKY4f6gEA.exe, vLPCp8FsqxfdVtaqvWQ.cs High entropy of concatenated method names: 'xKKOGMCUf4', 't3fdFSfw9m98v5L4Ko4', 'haqGhKfJXG0wD5cpsCu', 'KCTLnFfeaSaClGHXOar', 'Mvuc79f8YnknYknfwdF', 'B8GN1hf4vl9S0Um9T42', 'u7M2qcfNsNIWgPmQ8qy', 'JPGR4NfI9KEqwIxMWPO', 'cjmXpPfGWsDsBwE58IR', 'f28'
Source: hDKY4f6gEA.exe, oEijRgnNJ8I328eiFn8.cs High entropy of concatenated method names: 'sg9', 'xu7p6r3NaQ', 'tQ7ne5uGc1', 'YfXpq3QNVo', 'ag8crnmktfR5eBLCycm', 'DGOHTgmWBjo5RGuW1po', 'fUN3skmlg6nYsZ6rjAd', 'ntvGxXmZYPixXg4hMGl', 'PrjDnqmAACFXDMDEqY7', 'xjs9ZLmsOLkdArZ0NhY'
Source: hDKY4f6gEA.exe, ny0V8WndY62uGXdLJd8.cs High entropy of concatenated method names: '_223', 'KbLBs8IwsDPXYdYcKiM', 'SQaT7hIJIVEXJRN2TTO', 'Gu1xdfI4USa1byD2SM7', 'XMG2UBIN1WoN6b3N1g1', 'wTDjSvIIf53gc9OOjLN', 's2EpoxIGTcknOZYe77Z', 'fRNpH7ImPXGnJlfYlpC', 'KaTkjDIjfIMsw1wSxOo', 'CgvReSICA88NeFsjZHu'
Source: hDKY4f6gEA.exe, qUFuRoS6ZphXNT76nH7.cs High entropy of concatenated method names: 'cI8sed1k9O', 'urasBF04Xu', 'WsGt04H4pCMLeWkaNAM', 'U1oiNeHNNBlG5PF9iK5', 'JkB3bLHIoeL8or5uECB', 'sbVBKwHGJ7AcpthVMF1', 'zWsluiHmrRYiJlyrm3C', 'yssJbWHj6iCLEB5451u', 'yyq5r7HCBqyXHYmldkV', 'GRP9Y1HPAigMciJS4SW'
Source: hDKY4f6gEA.exe, lFTRWrFYXTZqGIBMgHP.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'fcZK5Bf2mUOf2pE4MIa', 'UX43nOfzQeSDmDL4dAY', 'rWB8Jbu188sMtK1dB8P', 'lZVrucu0HICIHDaRuo7', 'cVseFYuO53LrWUueghk', 'nXm9ecui29ZAiGPqLrq'
Source: hDKY4f6gEA.exe, uiQHoJn5cXsIRWsgMhU.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'wChpTgV82q', '_168', 'nhqyOwjPURZGPMoKfFd', 'IGQqbkjXDtClC7mVL8W', 'kO7nUVjQQUa7KkHNF3h', 'w5HCuSjMJ0a4qRyiDST', 'PYRAhoj9YgRTQk1ncZR'
Source: hDKY4f6gEA.exe, v4NSX0AfACZuEs7VGXV.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: hDKY4f6gEA.exe, YLEvZqAAnGTF4b3RHaX.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: hDKY4f6gEA.exe, gpkp2I875EmNB8mQvn4.cs High entropy of concatenated method names: 'zTJceQDEU6', 'Rc6cwv4K6k', 'piEcSb6vGW', 'LeZchWbi4j', 'RmlcvPH3bK', 'MFHclc3sg6', 'xGpcxYmWDI', 'OUWc34XVQT', 'HGncTOVGm3', 'Th4cLP6J0Y'
Source: hDKY4f6gEA.exe, WKTaZr8akaNQyJBD23H.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'hZlcpJCTGC', 'Gljc9i6OmE', 'r8j', 'LS1', '_55S'
Source: hDKY4f6gEA.exe, X6JP05FlsTJdMf87xQY.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'XS65Wu3cpmONu7b7WGu', 'Y0kcbJ3rxvjKDWyZ9bn', 'ivZUkh3DhAh5hZiCf0Q', 'Im8I2x3V5ESlV9XiroS', 'sgpKU93gx4GFclUhwbq', 'XIkZHU3SJHgdjUTJDUm'
Source: hDKY4f6gEA.exe, Ihuc0rACJiWN9h9ly0f.cs High entropy of concatenated method names: 'iSgjodAy4Q', 'IfXjRFWZsG', 'sYNjKeEmZi', 'DcgjW8QLBl', 'IHmjN1PaUa', 'Oxmj884Fst', '_838', 'vVb', 'g24', '_9oL'
Source: hDKY4f6gEA.exe, RccVDpFgLviW6x2ZaB5.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'QV9uClbZXMcVj7WARdO', 'lkGDJ1bAFxIyrrW0v97', 'vJtuX2bkH3b6aBbRFNQ', 'ipvAXIbWLdjfGLkPnUA', 'bMdgs8blF8BKDo1WuEr', 'dJ0uh9bsW9a0OoBdkrj'
Source: hDKY4f6gEA.exe, fb3aZTFvSooVNlnPuRo.cs High entropy of concatenated method names: 'L4G0iioWEC', 'XUuRuwxbMj7sxDr1qMK', 'pbvUCrx3RZjvlF41Hig', 'LWiybFxEDMFZMPDPiCB', 'SkXk1FxpSNf3lqLDBy9', 'ARemFnxfBvWtGpH83jm', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: hDKY4f6gEA.exe, mLGeEEFDT2FlQjU2ODP.cs High entropy of concatenated method names: 'kw8OoVM0tX', 'QSL9RA6O03MZDijAqYi', 'DxJXN46iytXCyAi8Bpb', 'rZSgeS611da519GOEkV', 'G72B8W60kwCrBAq8oRS', 'Iw1TYY6EQNgTe7bOUIW', 'NHFoYq6p2WOC9ETZQpn', 'wESVME6boRJdPLcqkp4', 'lDQOK5dOLx', 'D6piPK6uJsAXSLINPNB'
Source: hDKY4f6gEA.exe, P3AIUSF0X3xNRHEvrfM.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'o3xWwVfCG3bFJMCTYvh', 'ijLAWrfPEAQ559OoAkF', 'ASvDYrfX4uoXlvFyMJK', 'rfd9m4fQ1PhMARWbc7d', 'QK0vWTfMkamC7Y30oAS', 'dJsESbf9mDV6SX58871'
Source: hDKY4f6gEA.exe, TYjAI8FVKgHMlhLl42I.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'VytXXlfTbuuJF5CesXY', 'UxJYprfvmkPWfEbcGmO', 'wKkaAsfUhm6d0lC1A69', 'Ei0j6Kfqj7PY2dCJeSR', 'lVKn2tfcyBqGT1ExYVL', 'ugN4jJfr4FLX2SQE8Bd'
Source: hDKY4f6gEA.exe, LYKA6dFwNkcLrOEiWgZ.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'U8cZ5q34jCaImICNHIF', 'NlOFEC3NdwxRwJeMgGk', 'wUfLJI3InkBH2HrwrZA', 'f2ptPm3GrTWBihnp9gU', 'QoLR0v3ma6EsFSBZihv', 'EHjFUs3j1uvQSgftMdp'
Source: hDKY4f6gEA.exe, qAaqwNRo9Zc2SGirWL.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'LuHLlaMuo', 'y6i7T0OTLu3fKyfDs45', 'Vmd1IAOvCepQAhxKoOE', 'DAkekeOUGXEOhW2DoJM', 'rFjyuGOqISeuudQhNsy', 'LJXSX2OcURHYWuu6SuY'
Source: hDKY4f6gEA.exe, XjRdR7EwX63xfY2FE5g.cs High entropy of concatenated method names: 'CDUUG9yycAD98', 'CrD0cBZF1gOV7OGofVW', 'cKuVORZesXmKR8vaqSV', 'FVC4pwZ8CtfUiwN414l', 'KeC2EnZwa1Gv3ftjCys', 'Kjmp8tZJrlW23VlTSMm', 'oC3NGfZBdDhk0U3kd0U', 'siei2bZHtD0JCxZ29MN', 'emK5X8Z4hKcXBSW1ItA', 'TcDjyGZNaRGdHpehVJJ'
Source: hDKY4f6gEA.exe, n4evDjnXIvDTLQVR278.cs High entropy of concatenated method names: 'VJimWhKnA3', 'zggmN0r12f', 'zN0m8BhyZl', 'dRd4UaIZL9iwK9B3FSV', 'uyitZBIAswDSL6UOf3H', 'qvWnGdIkJ0mCYZaRsTP', 'PlT5YoIWeWXN3fdeur5', 'WcT457IlXZTYLaaZ8LU', 'AYYoF6IsAFhmlONpJYx', 'EuQGvyI7uNG46GYiky9'
Source: hDKY4f6gEA.exe, QEwntWnspV1iyjDPTky.cs High entropy of concatenated method names: 'nRpnpm26Sj', 'UIIn9GxmeX', 'nQ7nui9DLt', 'i0BS1oGg29bYYHNe7xE', 'lYD4wYGDZSVnWIHFWSM', 'WfKHH5GVrXoK6nMZuE8', 'ztWx1aGSsKwV7mR6rSX', 'gCvnHSrHjC', 'fKdnIpKumF', 'BgunmcXQmQ'
Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.cs High entropy of concatenated method names: 'Y19C5cZXugE65f4uSJJ', 'SwYqDxZQ9imy110a2rh', 'OH98xUZCHCwsUg4SAxs', 'YOhcqcZPrU7bu3OvuSg', 'mejFcDieal', 'AYDPV8ZnEHJr5nnO1S5', 'xbu97CZLeRAcBTJM27g', 'YJHdRFZyGLxVvwgbILo', 'KHxh0BZY8huGXu7kVLj', 'QHYGAJZKI0dca7xwRDO'
Source: hDKY4f6gEA.exe, UQVkEe8HsS1hk1tYtGi.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'zcFXJatrCr', '_3il', 'HqZXOYprev', 'f7dX0oaQ9J', '_78N', 'z3K'
Source: hDKY4f6gEA.exe, txaN6lnijfX2LRsbVms.cs High entropy of concatenated method names: 'ggNxsP9eHl', 'WxfxzeQTZ6', 'WxLK0tmgAMdkUBXfALd', 'Y2yuahmSGxvENlTS1TT', 'o87IeqmDKQP0CNJorAt', 'BRsY7EmVFIM9gaRwK6S'
Source: hDKY4f6gEA.exe, JmPfhWn7IBYjP3DInlt.cs High entropy of concatenated method names: '_269', '_5E7', 'JXFpROsv6v', 'Mz8', 'QompkYboY7', 'YTNpoljsuWKNtEiB8Tr', 'iuYg0Vj7MkDXnti5ORK', 'OCnsnsjtWK9saHadV12', 'IdRvn8jheoQyQ0Sh0wY', 'CdnEWgjRBumvl2qbZNU'
Source: hDKY4f6gEA.exe, z6Bjdu234rTCg6SYml.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'dPa0KHiv8QO5VqDVgc9', 'H74UECiUXIYmZJUU38m', 'OB2Kmhiq7P5TU6a7jA3', 'MQwGb7ickxAKGRHhS22', 'jT0lKairpTe2bxtbbdf', 'P45FRdiDbyYd8REovU6'
Source: hDKY4f6gEA.exe, afpkSqrnuQRVEvZTpH.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'v5oB5cOaN7F0gCq9VL9', 'vKYZgyO2PFXdQ94suX8', 'FlMPcyOzs19o3Arj622', 'UsU3mKi1Q0FVrbVmOMI', 'n67LOQi0eaq5dcDLLhr', 'jsAUSNiOCuJaHX25r9A'
Source: hDKY4f6gEA.exe, BFLC8ynBqVvKeC1HJAR.cs High entropy of concatenated method names: '_5u9', 'McCplhLhxE', 'AWLPJI6ytD', 'VU9pLlT7Ow', 'eOTGnCmd91ojxV4vUvL', 'OYYkJ4maPlOZ7Ekv0oT', 'dW7fLcm2qJ75TCsRW2s', 'kEJ1vmmhaoZ1MvmRCIF', 'ibWRJumRQDkfu3ZPuiV', 'cWmlqtmz3DkkKbk0lCN'
Source: hDKY4f6gEA.exe, g7JpoNjBEwlUXWf0JN.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'vrN1euEgEBplr2s0QGo', 'zaSUORESJUiMM97Vap0', 'QnVFNiEZBhte4OxIQg4', 'WGMlicEAibHE0ZMp936', 'Ci11aYEkBXEQu8LVuxr', 'i0bZtYEWVS6etiUvI8q'
Source: hDKY4f6gEA.exe, mnI83WAtWpIEIjpZhQ0.cs High entropy of concatenated method names: 'bfXCvp3RR1', 'a3U2sfgnQhruAf7Y7Fm', 'xEvJtwgLhsIv4xryKh8', 'mnVRTFgM3GiTmHDFYqI', 'yBEVt5g9GytTfVlOe1l', '_1fi', 'Tq9b8VBXQ2', '_676', 'IG9', 'mdP'
Source: hDKY4f6gEA.exe, x4hZvwnOFZCr1KuNCs1.cs High entropy of concatenated method names: 'AFemYUDZeJ', 'zEim6GbGIZ', 'o6vm1S939u', 'rEomq11A4w', 'YpXm2o4jmT', 'rcF1vuGbwR0DywU3MqH', 'p6yNTXG3rOmEpX0SHUV', 'u5pYl1GEod6lWamDI2K', 'oNcb55GpVyAvfLHBlnd', 'hVckbaGfNhhHSx6BNj6'
Source: hDKY4f6gEA.exe, DcdcmOSiwoHUfxA8Xuk.cs High entropy of concatenated method names: 'atPHm2NnL9', 'GK5HnyeH8P', 'Ly9hCdwh5CCD71Y10ig', 'Gc9bR1wROgS4YFRgD2Q', 'l3JF56w7nj4rVatIIT4', 'zwWYDWwtLJkwex15AZA', 'LsiHu7QmoW', 'JrfIClJ1xyKrQdllSKN', 'AT28gyJ03gqFtDhU2Tp', 'IeD0M4w2FFaFFDqge98'
Source: hDKY4f6gEA.exe, fg0sShgDOIVnNVDfTZg.cs High entropy of concatenated method names: 'Fd6ZKLTa0E', 'TFLZWIhRfK', 'ulsZNCg65h', 'PWhq99UrhI9oBvkUrSB', 'a7umOLUq5kZnjMeAbjp', 'pcFTyUUcuQjytl13C02', 'exn5C4UD0agwHqT3dTP', 'GF9KmbUVv4pgoSOE4Rc', 'J5CWTDUgHFiPaYNHgBe', 'LM6rjWUStVbdj1OPLef'
Source: hDKY4f6gEA.exe, Osay5ASmQXsSW6hx9Sm.cs High entropy of concatenated method names: 'jwYfXGx0IO', 'nVlfcBI8iR', 'ysDuqmFCu5yVBR38mwi', 'w3QG45FPrQF4bMdY1yp', 'mreB2tFmL6L6HQtxC9s', 'VYu11BFjqwtqCkr9cJq', 'Lc8J5HFXifcKcnZGLbj', 'FFKtS2FQOXANeEwGw5l', 'Iq24N8FMByofkyN5EfH', 'Dr46Z4F9llA7ne98MtV'
Source: hDKY4f6gEA.exe, L5l1hm3WPGDnVtsXap.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'LAgHxFptjsiYlGNJoEp', 'RJogNyphRMGHeRCkJZR', 'e7JpbRpR1LWv3dYsliR', 'eoy7ZqpdK39YVWeSNO6', 'ILWD6vpaRPiafckynaL', 'e4xLiDp2lJq432b8jdT'
Source: hDKY4f6gEA.exe, lAw3EwFG4fxnIQdsVRS.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'USIDmt33YbAbcdtbern', 'xXxRYF3fbTEnqkNTEp2', 'cdrt2r3u5mgR9B08Pa7', 'mKhya636YcKET8AAdVw', 'FlAjbR35Y6Gsm9Xy9rG', 'OOi6uh3xr9G6tCMoFRd'
Source: hDKY4f6gEA.exe, SdVTqPFOVEcn2ndX7yV.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'dsXA0jf1S0dB8fZt7J5', 'gKepJLf0Re3nXXGF1NC', 'k3Zgl7fOiacSTIlZmKB', 'BLlEyLfidjlyRkcmQmA', 'FLEVNFfEd0Zml6vZHt0', 'ymFnUnfpTKUsnrgc32D'
Source: hDKY4f6gEA.exe, jbg15QSCOPjxdJbHAE7.cs High entropy of concatenated method names: 'BQv0jYMXFN', 'RtW0A2C2LO', 'xZf0Vk1FJH', 'wqcdLcxYbDTyhPF2Yfj', 'GjQ9YtxKHYJ4D3oFi8k', 'jQlmgrxTPEtiZ9Cg8vD', 'grYSDAxvJtaB3Zf5CBY', 'B2funaxUASkmcaPqT0i', 'yn8qG2xqgcTv07NMdRj', 'aaK1UdxLK3bhIPJNItG'
Source: hDKY4f6gEA.exe, qnvVcxB3Tt9cckw3iE.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'xSYitfEwWUusBrYXfJ0', 'VwiAAPEJ2rNm3ArHcu6', 'OxZWjWE404DEcSMtKp5', 'e7P1wPENKKbod3yNFg3', 'q8lIh7EIHNKt742HaI3', 'VsntMMEGKERGVZX7jRv'

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Uninstall Information\wininit.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Recovery\smss.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Internet Explorer\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File written: C:\Program Files (x86)\Internet Explorer\services.exe Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Windows Defender\RCXA207.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\System.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\ProgramData\Microsoft\MapData\SystemSettings.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\microsoft office\RuntimeBroker.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Desktop\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Uninstall Information\RCXB8D3.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Uninstall Information\wininit.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Videos\RCXBB84.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\internet explorer\services.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Videos\RCX99B7.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\All Users\Microsoft\MapData\SystemSettings.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\RCXAD07.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\Desktop\hDKY4f6gEA.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Videos\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\ProgramData\Microsoft\MapData\RCXB47C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\RCXBE25.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Recovery\RCX9764.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\All Users\Desktop\IfYiMMRuvSUMKHkp.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\windowspowershell\dllhost.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Microsoft Office\RCXB219.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Recovery\RCXC0C5.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Desktop\RCXC366.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\java\jre-1.8\IfYiMMRuvSUMKHkp.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Microsoft\OneDrive\RCXC626.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Recovery\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Recovery\smss.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Internet Explorer\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\RCX9C96.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\Desktop\RCX9531.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Public\Videos\dasHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\RCXAF2A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\Default\Application Data\Microsoft\IfYiMMRuvSUMKHkp.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\ProgramData\Microsoft\MapData\RCXB47C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\ProgramData\Microsoft\MapData\SystemSettings.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\RCXAF2A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\System.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\Registration\CRMLog\RCX9C96.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Windows\LiveKernelReports\RCXAD07.tmp Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\IfYiMMRuvSUMKHkp.exe Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe File created: C:\Users\user\RCXAF2A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hDKY4f6gEA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe Process information set: NOOPENFILEERRORBOX