Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hDKY4f6gEA.exe

Overview

General Information

Sample name:hDKY4f6gEA.exe
renamed because original name is a hash value
Original sample name:3e40d7f0c47407447c1fa9be4ec0f714.exe
Analysis ID:1523783
MD5:3e40d7f0c47407447c1fa9be4ec0f714
SHA1:f8633060aa590db85a70e9d1ae220b220ed03a98
SHA256:497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops PE files to the user root directory
Drops PE files with benign system names
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • hDKY4f6gEA.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\hDKY4f6gEA.exe" MD5: 3E40D7F0C47407447C1FA9BE4EC0F714)
  • dllhost.exe (PID: 7372 cmdline: "C:\Program Files (x86)\windowspowershell\dllhost.exe" MD5: 3E40D7F0C47407447C1FA9BE4EC0F714)
  • dllhost.exe (PID: 7412 cmdline: "C:\Program Files (x86)\windowspowershell\dllhost.exe" MD5: 3E40D7F0C47407447C1FA9BE4EC0F714)
  • IfYiMMRuvSUMKHkp.exe (PID: 7440 cmdline: "C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe" MD5: 3E40D7F0C47407447C1FA9BE4EC0F714)
  • IfYiMMRuvSUMKHkp.exe (PID: 7476 cmdline: C:\Recovery\IfYiMMRuvSUMKHkp.exe MD5: 3E40D7F0C47407447C1FA9BE4EC0F714)
  • cleanup
{"SCRT": "{\"3\":\"-\",\"x\":\"`\",\"B\":\".\",\"L\":\",\",\"6\":\"$\",\"n\":\"*\",\"9\":\"%\",\"M\":\"~\",\"o\":\"&\",\"I\":\";\",\"y\":\"^\",\"Z\":\"_\",\"g\":\")\",\"A\":\"#\",\"C\":\" \",\"X\":\"(\",\"i\":\"!\",\"H\":\"|\",\"0\":\"@\",\"m\":\"<\",\"J\":\">\"}", "PCRT": "{\"F\":\".\",\"J\":\"|\",\"o\":\"%\",\"C\":\"@\",\"1\":\"`\",\"U\":\"$\",\"l\":\"!\",\"3\":\"<\",\"a\":\"-\",\"V\":\",\",\"m\":\"~\",\"e\":\"*\",\"Y\":\"#\",\"S\":\">\",\"d\":\";\",\"0\":\")\",\"k\":\"^\",\"Q\":\" \",\"E\":\"(\",\"Z\":\"&\",\"W\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jEyOhPUj2jRHWsBrfp7T", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
SourceRuleDescriptionAuthorStrings
00000015.00000002.1785792731.0000000002E81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000014.00000002.1780433125.0000000002BAF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000000.00000002.1931637010.00000000032B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000014.00000002.1780433125.0000000002B71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000014.00000002.1780644862.0000000012B81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 7 entries

            System Summary

            barindex
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\hDKY4f6gEA.exe, ProcessId: 6936, TargetFilename: C:\Program Files (x86)\windowspowershell\dllhost.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\windowspowershell\dllhost.exe", CommandLine: "C:\Program Files (x86)\windowspowershell\dllhost.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe, NewProcessName: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe, OriginalFileName: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Program Files (x86)\windowspowershell\dllhost.exe", ProcessId: 7372, ProcessName: dllhost.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T02:37:30.216984+020020341941A Network Trojan was detected192.168.2.449741141.8.192.10380TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: hDKY4f6gEA.exeAvira: detected
            Source: C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Defender\RCXA207.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ProgramData\Microsoft\MapData\RCXB47C.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Microsoft\OneDrive\RCXC626.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\RCXB219.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\services.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Uninstall Information\RCXB8D3.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmpAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files\Uninstall Information\wininit.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: 00000014.00000002.1780644862.0000000012B81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"3\":\"-\",\"x\":\"`\",\"B\":\".\",\"L\":\",\",\"6\":\"$\",\"n\":\"*\",\"9\":\"%\",\"M\":\"~\",\"o\":\"&\",\"I\":\";\",\"y\":\"^\",\"Z\":\"_\",\"g\":\")\",\"A\":\"#\",\"C\":\" \",\"X\":\"(\",\"i\":\"!\",\"H\":\"|\",\"0\":\"@\",\"m\":\"<\",\"J\":\">\"}", "PCRT": "{\"F\":\".\",\"J\":\"|\",\"o\":\"%\",\"C\":\"@\",\"1\":\"`\",\"U\":\"$\",\"l\":\"!\",\"3\":\"<\",\"a\":\"-\",\"V\":\",\",\"m\":\"~\",\"e\":\"*\",\"Y\":\"#\",\"S\":\">\",\"d\":\";\",\"0\":\")\",\"k\":\"^\",\"Q\":\" \",\"E\":\"(\",\"Z\":\"&\",\"W\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jEyOhPUj2jRHWsBrfp7T", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
            Source: C:\Program Files (x86)\Internet Explorer\services.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\Internet Explorer\services.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeReversingLabs: Detection: 84%
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files\Uninstall Information\wininit.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Uninstall Information\wininit.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exeReversingLabs: Detection: 84%
            Source: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exeVirustotal: Detection: 67%Perma Link
            Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exeReversingLabs: Detection: 84%
            Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exeVirustotal: Detection: 67%Perma Link
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeReversingLabs: Detection: 84%
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeVirustotal: Detection: 67%Perma Link
            Source: hDKY4f6gEA.exeReversingLabs: Detection: 84%
            Source: hDKY4f6gEA.exeVirustotal: Detection: 67%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Program Files (x86)\Internet Explorer\RCXB6AF.tmpJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Defender\RCXA207.tmpJoe Sandbox ML: detected
            Source: C:\ProgramData\Microsoft\MapData\RCXB47C.tmpJoe Sandbox ML: detected
            Source: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmpJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\RCXA65D.tmpJoe Sandbox ML: detected
            Source: C:\ProgramData\Microsoft\MapData\SystemSettings.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Microsoft\OneDrive\RCXC626.tmpJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\RCXB219.tmpJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\services.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Uninstall Information\RCXB8D3.tmpJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Java\jre-1.8\IfYiMMRuvSUMKHkp.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\WindowsPowerShell\RCX9FD4.tmpJoe Sandbox ML: detected
            Source: C:\Program Files\Uninstall Information\wininit.exeJoe Sandbox ML: detected
            Source: hDKY4f6gEA.exeJoe Sandbox ML: detected
            Source: hDKY4f6gEA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Defender\047efad0ccc033Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Multimedia Platform\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Multimedia Platform\047efad0ccc033Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Uninstall Information\wininit.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Uninstall Information\56085415360792Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Microsoft\OneDrive\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Microsoft\OneDrive\047efad0ccc033Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Defender\RCXA207.tmpJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Multimedia Platform\RCXAA37.tmpJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Uninstall Information\RCXB8D3.tmpJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Microsoft\OneDrive\RCXC626.tmpJump to behavior
            Source: hDKY4f6gEA.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49741 -> 141.8.192.103:80
            Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000032B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: hDKY4f6gEA.exe, 00000000.00000002.2004400234.000000001C7B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
            Source: hDKY4f6gEA.exe, 00000000.00000002.2004400234.000000001C7B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm2
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\Registration\CRMLog\IfYiMMRuvSUMKHkp.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\Registration\CRMLog\047efad0ccc033Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\LiveKernelReports\System.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\LiveKernelReports\System.exe\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\LiveKernelReports\27d1bcfc3c54e0Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\Registration\CRMLog\RCX9C96.tmpJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Windows\LiveKernelReports\RCXAD07.tmpJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeCode function: 0_2_00007FFD9B8B8BF20_2_00007FFD9B8B8BF2
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeCode function: 0_2_00007FFD9B8A34C50_2_00007FFD9B8A34C5
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeCode function: 17_2_00007FFD9B8834C517_2_00007FFD9B8834C5
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeCode function: 20_2_00007FFD9B8834C520_2_00007FFD9B8834C5
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeCode function: 21_2_00007FFD9B8B34C521_2_00007FFD9B8B34C5
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeCode function: 24_2_00007FFD9B8A34C524_2_00007FFD9B8A34C5
            Source: hDKY4f6gEA.exe, 00000000.00000002.1923149196.0000000003180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDisableUAC.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001593529.000000001BC90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileSearcher.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2003824745.000000001C626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2003824745.000000001C626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001695665.000000001BCC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001830299.000000001BCF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001620032.000000001BCA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000000.1646003846.0000000000F92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1917323582.0000000003160000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBuildInstallationTweaksPlugin.dll\ vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1931637010.00000000039F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8Em.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2004146373.000000001C6C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1907175697.0000000003150000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2003030686.000000001C310000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUSBSpread.dll4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001662201.000000001BCB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMessageOnStart.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001735131.000000001BCD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2003068454.000000001C320000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUserPingCounter.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename05JTO83N2fiTkzY7mAmsYr6I.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKpWuOxD.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2002384341.000000001C160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUzTvyhlVVu40TT576Y.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2003217197.000000001C530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename( vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.2001776395.000000001BCE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exe, 00000000.00000002.1920485409.0000000003170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCrashLogger.dclib4 vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exeBinary or memory string: OriginalFilenameczHEjglJqNje4j.exeD vs hDKY4f6gEA.exe
            Source: hDKY4f6gEA.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: hDKY4f6gEA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: IfYiMMRuvSUMKHkp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: smss.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: IfYiMMRuvSUMKHkp.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: IfYiMMRuvSUMKHkp.exe1.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hDKY4f6gEA.exe, Ihuc0rACJiWN9h9ly0f.csCryptographic APIs: 'TransformBlock'
            Source: hDKY4f6gEA.exe, Ihuc0rACJiWN9h9ly0f.csCryptographic APIs: 'TransformFinalBlock'
            Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.csCryptographic APIs: 'CreateDecryptor'
            Source: hDKY4f6gEA.exe, HJAsWTEQN9udHE418u8.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.evad.winEXE@26/84@0/0
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Program Files (x86)\windowspowershell\dllhost.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile created: C:\Users\Public\Videos\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeMutant created: NULL
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeMutant created: \Sessions\1\BaseNamedObjects\Local\93ec258400f012aeafba1dd2a819020626051bef
            Source: hDKY4f6gEA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hDKY4f6gEA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: hDKY4f6gEA.exeReversingLabs: Detection: 84%
            Source: hDKY4f6gEA.exeVirustotal: Detection: 67%
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeFile read: C:\Users\user\Desktop\hDKY4f6gEA.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\hDKY4f6gEA.exe "C:\Users\user\Desktop\hDKY4f6gEA.exe"
            Source: unknownProcess created: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe "C:\Program Files (x86)\windowspowershell\dllhost.exe"
            Source: unknownProcess created: C:\Program Files (x86)\WindowsPowerShell\dllhost.exe "C:\Program Files (x86)\windowspowershell\dllhost.exe"
            Source: unknownProcess created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe "C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exe"
            Source: unknownProcess created: C:\Recovery\IfYiMMRuvSUMKHkp.exe C:\Recovery\IfYiMMRuvSUMKHkp.exe
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: twext.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: cscui.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: workfoldersshell.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: starttiledata.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: usermgrproxy.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: acppage.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: msi.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\WindowsPowerShell\dllhost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: version.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Recovery\IfYiMMRuvSUMKHkp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Defender\IfYiMMRuvSUMKHkp.exeJump to behavior
            Source: C:\Users\user\Desktop\hDKY4f6gEA.exeDirectory created: C:\Program Files\Windows Defender\047efad0ccc033Jump to behavior