Windows Analysis Report
uChcvn3L6R.exe

Overview

General Information

Sample name: uChcvn3L6R.exe
renamed because original name is a hash value
Original sample name: 236b78f3cd3a0b771d318f044dda8f45.exe
Analysis ID: 1447650
MD5: 236b78f3cd3a0b771d318f044dda8f45
SHA1: f890ca2ffb6218fa01df6844fe2a51b184e912b8
SHA256: 8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a
Tags: exeFormbook
Infos:

Detection

DCRat
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Process Start Locations
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: uChcvn3L6R.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"=\":\"<\",\"z\":\"&\",\"H\":\",\",\"w\":\"@\",\"b\":\"_\",\"D\":\"`\",\"A\":\";\",\"S\":\"!\",\"i\":\"%\",\"E\":\"-\",\"l\":\"*\",\"9\":\"~\",\"W\":\"|\",\"n\":\"#\",\"M\":\" \",\"G\":\")\",\"V\":\">\",\"I\":\".\",\"0\":\"(\",\"O\":\"^\",\"L\":\"$\"}", "PCRT": "{\"Q\":\"`\",\"T\":\"@\",\"U\":\"$\",\"d\":\"(\",\"K\":\")\",\"V\":\"&\",\"B\":\">\",\"Z\":\";\",\"D\":\"#\",\"z\":\"!\",\"L\":\"*\",\"J\":\"|\",\"b\":\",\",\"O\":\"<\",\"k\":\"^\",\"o\":\"-\",\"R\":\" \",\"l\":\"_\",\"F\":\"~\",\"E\":\"%\",\"W\":\".\"}", "TAG": "", "MUTEX": "DCR_MUTEX-9ukBZukGuUbmwPwxZ8oC", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "H2": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "T": "0"}
Multi AV Scanner detection for domain / URL
Source: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: uChcvn3L6R.exe ReversingLabs: Detection: 91%
Source: uChcvn3L6R.exe Virustotal: Detection: 79% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 85.4% probability
Machine Learning detection for sample
Source: uChcvn3L6R.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: uChcvn3L6R.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Directory created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Directory created: C:\Program Files\Uninstall Information\4f78d385fc35a0 Jump to behavior
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000000.1725425677.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: is-LS3UA.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdbY" source: is-O5MSC.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: is-LS3UA.tmp.2.dr
Source: Binary string: msvcr120.i386.pdb source: is-11A56.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdb source: is-O5MSC.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: is-RMB9M.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: is-G1B5Q.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: is-069DQ.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdbi source: is-069DQ.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: is-DLMB6.tmp.2.dr
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_0082A5F4
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_0083B8E0

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 104.21.22.205:80 -> 192.168.2.4:49738
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: is-LS3UA.tmp.2.dr String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: is-LS3UA.tmp.2.dr String found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://counter-strike.com.ua/
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-NCUG3.tmp.2.dr String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: explorer.exe, 00000028.00000002.2415528614.0000000000D34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.micN
Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: is-LS3UA.tmp.2.dr String found in binary or memory: http://java.oracle.com/
Source: is-8FS1L.tmp.2.dr String found in binary or memory: http://ocsp.example.net:80
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://sv.symcd.com0&
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/
Source: Arcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.innosetup.com/
Source: uChcvn3L6R.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: is-NCUG3.tmp.2.dr String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: is-KHA4M.tmp.2.dr String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
Source: Arcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 3_2_0082718C
Creates files inside the system directory
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\addins\audiodg.exe Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\addins\42af1c969fbb7b Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\Fonts\4f78d385fc35a0 Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exe Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\en-US\4f78d385fc35a0 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082857B 3_2_0082857B
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_008370BF 3_2_008370BF
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084D00E 3_2_0084D00E
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082407E 3_2_0082407E
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00851194 3_2_00851194
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00823281 3_2_00823281
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082E2A0 3_2_0082E2A0
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_008402F6 3_2_008402F6
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00836646 3_2_00836646
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_008337C1 3_2_008337C1
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_008227E8 3_2_008227E8
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084070E 3_2_0084070E
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084473A 3_2_0084473A
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082E8A0 3_2_0082E8A0
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082F968 3_2_0082F968
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00844969 3_2_00844969
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00833A3C 3_2_00833A3C
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00836A7B 3_2_00836A7B
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00840B43 3_2_00840B43
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084CB60 3_2_0084CB60
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00835C77 3_2_00835C77
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083FDFA 3_2_0083FDFA
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082ED14 3_2_0082ED14
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00833D6D 3_2_00833D6D
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082BE13 3_2_0082BE13
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082DE6C 3_2_0082DE6C
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00825F3C 3_2_00825F3C
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00840F78 3_2_00840F78
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAA71D 38_2_00007FFD9BAAA71D
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAD668 38_2_00007FFD9BAAD668
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAACF0 38_2_00007FFD9BAAACF0
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAC648 38_2_00007FFD9BAAC648
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAC240 38_2_00007FFD9BAAC240
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAAA1C5 38_2_00007FFD9BAAA1C5
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAACC28 44_2_00007FFD9BAACC28
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAA71D 44_2_00007FFD9BAAA71D
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAD668 44_2_00007FFD9BAAD668
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAA2CA0 44_2_00007FFD9BAA2CA0
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAAB30 44_2_00007FFD9BAAAB30
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAA71D 44_2_00007FFD9BAAA71D
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAC240 44_2_00007FFD9BAAC240
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAA2CA0 44_2_00007FFD9BAA2CA0
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAC648 44_2_00007FFD9BAAC648
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAAACF0 44_2_00007FFD9BAAACF0
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAA9D4D 44_2_00007FFD9BAA9D4D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: String function: 0083E28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: String function: 0083E360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: String function: 0083ED00 appears 31 times
PE file contains executable resources (Code or Archives)
Source: uChcvn3L6R.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: uChcvn3L6R.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Arcane CheatSetup.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Arcane CheatSetup.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs uChcvn3L6R.exe
Uses 32bit PE files
Source: uChcvn3L6R.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.cs Cryptographic APIs: 'TransformBlock'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.cs Cryptographic APIs: 'TransformBlock'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal92.troj.expl.evad.winEXE@41/475@1/1
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00826EC9 GetLastError,FormatMessageW, 3_2_00826EC9
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_00839E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 3_2_00839E1C
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\2f1bb18a36a2997857c610994e6b82f6ce779022
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Users\user\Desktop\uChcvn3L6R.exe File created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "
Source: unknown Process created: C:\Recovery\explorer.exe
Source: unknown Process created: C:\Recovery\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Command line argument: sfxname 3_2_0083D5D4
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Command line argument: sfxstime 3_2_0083D5D4
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Command line argument: STARTDLG 3_2_0083D5D4
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: uChcvn3L6R.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\uChcvn3L6R.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: uChcvn3L6R.exe ReversingLabs: Detection: 91%
Source: uChcvn3L6R.exe Virustotal: Detection: 79%
Source: uChcvn3L6R.exe String found in binary or memory: /LOADINF="filename"
Source: unknown Process created: C:\Users\user\Desktop\uChcvn3L6R.exe "C:\Users\user\Desktop\uChcvn3L6R.exe"
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp "C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe"
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f
Source: unknown Process created: C:\Windows\addins\audiodg.exe C:\Windows\addins\audiodg.exe
Source: unknown Process created: C:\Windows\addins\audiodg.exe C:\Windows\addins\audiodg.exe
Source: unknown Process created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Process created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp "C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe" Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: version.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: slc.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: mscoree.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: apphelp.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: version.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: uxtheme.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: windows.storage.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: wldp.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: profapi.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: cryptsp.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: rsaenh.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: cryptbase.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: sspicli.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: mscoree.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: version.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: uxtheme.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: windows.storage.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: wldp.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: profapi.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: cryptsp.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: rsaenh.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: cryptbase.dll
Source: C:\Windows\addins\audiodg.exe Section loaded: sspicli.dll
Source: C:\Recovery\explorer.exe Section loaded: mscoree.dll
Source: C:\Recovery\explorer.exe Section loaded: apphelp.dll
Source: C:\Recovery\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\explorer.exe Section loaded: version.dll
Source: C:\Recovery\explorer.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: uxtheme.dll
Source: C:\Recovery\explorer.exe Section loaded: windows.storage.dll
Source: C:\Recovery\explorer.exe Section loaded: wldp.dll
Source: C:\Recovery\explorer.exe Section loaded: profapi.dll
Source: C:\Recovery\explorer.exe Section loaded: cryptsp.dll
Source: C:\Recovery\explorer.exe Section loaded: rsaenh.dll
Source: C:\Recovery\explorer.exe Section loaded: cryptbase.dll
Source: C:\Recovery\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Recovery\explorer.exe Section loaded: mscoree.dll
Source: C:\Recovery\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\explorer.exe Section loaded: version.dll
Source: C:\Recovery\explorer.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\explorer.exe Section loaded: uxtheme.dll
Source: C:\Recovery\explorer.exe Section loaded: windows.storage.dll
Source: C:\Recovery\explorer.exe Section loaded: wldp.dll
Source: C:\Recovery\explorer.exe Section loaded: profapi.dll
Source: C:\Recovery\explorer.exe Section loaded: cryptsp.dll
Source: C:\Recovery\explorer.exe Section loaded: rsaenh.dll
Source: C:\Recovery\explorer.exe Section loaded: cryptbase.dll
Source: C:\Recovery\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Directory created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Directory created: C:\Program Files\Uninstall Information\4f78d385fc35a0 Jump to behavior
Source: uChcvn3L6R.exe Static file information: File size 48732160 > 1048576
Source: uChcvn3L6R.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2e77600
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000000.1725425677.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: is-LS3UA.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdbY" source: is-O5MSC.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: is-LS3UA.tmp.2.dr
Source: Binary string: msvcr120.i386.pdb source: is-11A56.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdb source: is-O5MSC.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: is-RMB9M.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: is-G1B5Q.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: is-069DQ.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdbi source: is-069DQ.tmp.2.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: is-DLMB6.tmp.2.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H System.AppDomain.Load(byte[])
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H System.Reflection.Assembly.Load(byte[])
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H System.AppDomain.Load(byte[])
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H System.Reflection.Assembly.Load(byte[])
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs .Net Code: dudi4Z930H
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe File created: C:\Surrogateprovidercomponentsessionmonitor\__tmp_rar_sfx_access_check_6396203 Jump to behavior
PE file contains sections with non-standard names
Source: Arcane Cheat.exe.0.dr Static PE information: section name: .didat
Source: is-TJN2U.tmp.2.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083E28C push eax; ret 3_2_0083E2AA
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083ED46 push ecx; ret 3_2_0083ED59
Source: C:\Windows\addins\audiodg.exe Code function: 38_2_00007FFD9BAABF48 push eax; iretd 38_2_00007FFD9BAABF49
Source: C:\Recovery\explorer.exe Code function: 44_2_00007FFD9BAABF48 push eax; iretd 44_2_00007FFD9BAABF49
Source: is-QS1JT.tmp.2.dr Static PE information: section name: .text entropy: 6.90903234258047
Source: is-11A56.tmp.2.dr Static PE information: section name: .text entropy: 6.95576372950548
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, XZyIViaVc902mYbsOg5.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, fRecg0IMTTg1CmGU2S.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'bKGlX9sOMky7oWBBeOb', 'fIhNYks8eYu6cdN5BrR', 'XCDJrvs6XPCVTNr1BOK', 'yraVoDsLnqag6TnapDB', 'RrU8mUsE0fTk5JM4vBX', 'JUd8RosJWjPLy5wnYBS'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, dG8w5Q3ZanqpB3yOu4.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TJyQ8S1NHjIeQHvys8r', 'uKweZP1qLYaplZcBjwX', 'tnuD4815rV9LGP8jjot', 'jefSCA1Crr8CYMkjFqj', 'p4LurG1WRkrw7gbSfF0', 'yHcgxV198XMsa1f1FQC'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U9dpYvaqrUuBWyCKLLS.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'wWaduabi4E', 'l5NdLGfN7I', 'plidd3HtAD', 'F0IdjXUlPt', 'RgHdVisMBP', 'DVWdxqZiRk', 'RYDgfOpqiZLGE7BAOfx'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, frKviVDZDMThE4ByFj.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IWaT6EDpA', 'kf5XB3vraB0YOfKv72c', 'yLXkE8vNOiXv2sRNsn7', 'W7PQmVvqwRmr6lGgfa7', 'rc4VmBv5EsiWdXvWQBr', 'HliAJNvCAfikXbytA1n'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, vfL4JnYPjnWYvURPg4.cs High entropy of concatenated method names: 'P4jr3T6LY', 'Xejw3QRSUOBUSwgPVR', 'f2WyN5hU0erlg0PI33', 'J7TAKketddD4wvjhpU', 'vmSUDpQVt1fbhu4lCQ', 'LtVcpCr98OEyqcffyr', 'DAfO0WPKf', 'VGriVQ2Gw', 'k8CYJEkJi', 'ElKq0v5Zo'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wu1K5qe49mDbXhwNpC5.cs High entropy of concatenated method names: 'v5L2xQBpk8', 'tXy2ArksbF', 'sZy2FBnoSC', 'dsW2QSyNks', 'uACqL1Uz42xJlT0w7E5', 'dmXOccUnBP0o69uQruI', 'eFokPsUDH4yZyCOdqTZ', 'LHVkroijhcXvqsCBybr', 'Q08rKeib9cjE6rBaxkT', 'xK5HPFiv1NPkFRGaXjC'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, uinPtEKX5ks0wPYAoBT.cs High entropy of concatenated method names: 'znIOu0xDow', 'VfmOLaqhQm', 'hD2OdKqstp', 'vtHKOa8RYLcfA7lVEA3', 'wjuhIp8QrZeXbPOnLv6', 'Qk0ou68r3Rya1YcJdDQ', 'iQPR1Z8NEgaO6v4Ad2S', 'hv0lmP8qGjW6mjKiKtu', 'RVIZDf85t5531duIW99', 'kuF16a8hXPwlqFw21uK'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, f0JYAF43V2JVkapeTEx.cs High entropy of concatenated method names: 'K2EZa0Anob', 'xMjLsA4qdXBMflIJwtA', 'UvRByl45H30X5mnE4Zq', 'bTmuft4rJ95H2pcO0uk', 'C86Vch4NxFwQNAmD9DO', 'Xw7bIF4CHjNbfpRtOYP', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, XGrKZ74NbqtEXEJqRoy.cs High entropy of concatenated method names: 'sAtO865wYV', 'umrOvSklTv', 'QrnF2ZO8pOywPeGtd5l', 'flkvC4O4w9we4oKBuQV', 'Gkt3k9OOg7RyroCUSyH', 'xGCW5kO6bGW8GWa1ND4', 'n388DAOLErYDg3rTZkN', 'J7ZDkIOEWlSDiabZFYs', 'D4LgoqOJ58LXydHHr0d', 'FNejh6Od8c458ipfxdf'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, hYBAAPaEELKA7GGeEgB.cs High entropy of concatenated method names: 'FtuLJem7ct', 'asNLymt0N7', 'mmXLomVqLo', 'SY7LcNjPlk', 'MebLs9EX7W', 'oaHb3XWSETcdYwBJie8', 'wr3QVEWnIedueBTSEce', 'W7bcKiWD5NFhNwrYceN', 'j1tsu5WzbpyKvDr6JJD', 'bXYUET9jQXPNUx71wGt'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Grshth4pEm8N9DZQKQx.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'HoBDQUZjQUKC6x54pa7', 'UtIrFdZbSpuQgPl3T3Y', 'q0nLCBZvaFoGQ7OxJLP', 'gfCkZhZ113A6ui3EDMN', 'ceZwqmZswVn9t0Aev7j', 'BSLAJ2ZG11AnpGFAcQl'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ApSAAkSNXsI9QTfjE7.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'oV8IEFG7dgKs1P6C7oj', 'y2GRXtGAGpnNI6iTTQF', 'zlT3KuG3wB7lmDT9kcD', 'mQR8VkGSOagio9Swvyb', 'OXGIUXGnnvDfFIIxkGU', 'uh4OgoGD4yLWC9YUort'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Ly3Q2KKfs8gHJxm1oP7.cs High entropy of concatenated method names: 'THRiabScEt', 'aL0iWtNccZ', 'qSTOoEEi9tsCGZM7Qo4', 'ffK6QqEBppydmRhNN8t', 'OMGfJQEVSp2xRbAkSjo', 'BmeLwKEcA53NG4BxylL', 'MEtZBxExnLXwu73dcju', 'LetnCaEtGgtJHa92cMU', 'osY80qEkqUUoBAsS8NE', 'gSBqPCEyCdqSKOTwa5n'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zVPfdxeIW0Yo89m7eUv.cs High entropy of concatenated method names: 'sg9', 'v3yP2Gne8m', 'UMX3apd9Z8', 'i3pPI5QMAR', 'kMYKgcxlZTE5QX5WTEU', 'Ho0QfDx0HWllwiVJgUM', 'qxL9MZxmYutZqHKCAj9', 'GjyHs8xoZgrlAkoMuiB', 'ki89JMxuhJULuhSLInP', 'u2Br0YxIvFeppCcOfPx'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, AnHVB64Y36pO8IxLZc7.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'ot4yceYAeq0w8ZSK4Zw', 'IQtTjJY3dvimwhof4Zl', 'REPTd1YSkcUcEdPWwaK', 'vK3vxcYnQ5EMI0XEi9q', 'JZLvG8YDtdnrAG7CvRp', 'zPYDIPYzaxk3aWdYFq9'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yJx8VDKQf1c6TlIv9FG.cs High entropy of concatenated method names: 'C3YiN0qgQT', 'wK1OmmE1RNNfZjbsSS3', 'YF6K83EshBDAORcWyyi', 'XE2WdWEbkOgKgRA8Ysu', 'KbxRowEvFFpNbltZjgn', 'wTVCnNEGsiDX4pg7u9E', 'UMZyT4EY059AjkKXLa0', 'UEayiNEgNVhZaLL6dCW', 'qVtwYsEZoukv9D7J9DF', 'UQ4qR9E2NKXhCgK50M8'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs High entropy of concatenated method names: 'HFy3Gmlr6s', 'Bnw3mS3bY4', 'yMi3eIpQ1g', 'E7c8vqcf5nPkj18Lftu', 'JBy8F0c9pmQ4H3VEatW', 'qeN3gfcpe0kGnD92Nmd', 'QLG5yucHeyTqp93BwtI', 'VvK3tJY0ZH', 'h6F321skHo', 'zt93ROo2Ix'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, uJvRw2epFJjv398J8bj.cs High entropy of concatenated method names: 'QerREwOYR0', 'wQnRgncXPm', 'mT6RCOtNu4', 'pLJRNToPjL', 'qBZRkuui9s', 'kTJtYLcYHIpFwFaLSJo', 'P67FZacgKwS6di4fRXD', 'yGaYL5csCMDkwfCIOd5', 'NFvw4ccGkAxjeyT8FeC', 'qHPYRQcZooMsi1nwDTI'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, UUWdNXaDYwKxyRLF8lr.cs High entropy of concatenated method names: 'Fc1GNdfsWZeJkAGQiWc', 'vZrKyDfGK2k44o50U7D', 'XYZtTJfvYEl6vJlCeeq', 'qxAoprf1ENx4lwDxFuE', 'M6pdXbA64r', 'WM4', '_499', 'E3UdIBxRZZ', 'GHHd7hI6OH', 'guUd6Y0xh3'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yrD1ux4clRu0H9AUBjQ.cs High entropy of concatenated method names: 'd6VZ12ABqT', 'HrXJjG4vk8F8625ykiV', 'ecjn2s418vxaegdtIE3', 'c8JbB94jneoH3l1bINS', 'KX8G564bd9KUvExBRB8', 'Jnj2Ei4sygWXGqP9D6S', 'fn2p4k4GWqHsj4SaPcF', 'EREAjX4YLy6ciooShEW', 'QgGZUexXCV', 'ynD8ns42Im1XuiROd12'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs High entropy of concatenated method names: 'T0RiQW1M6v', 'F2VihHRGwC', 'rVeiX2grc7', 'O6SiIFIpcq', 'qkki7FgR28', 'Dksi69WNx8', 'L2IilFr0LE', 'AIDRMSLksINE3DAIx9n', 'nbGG5OLxKXanrFWEeFe', 'fKDHsgLtpMrGNNXd44D'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, rIxfJY4tw8hMmSHlH36.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'Xurk3hOVgPGEJID9a9x', 'HeRpaOOcKn0bEcsw6xP', 'zXMLQROxRvfLXwCxOQx', 'B37IuhOtAG93gRT90ok', 'RfIjT5OkBXlQJthEc1d', 'DfbFvmOy3bPYBDbx3cP'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WYU9eAmsTrRuJf17lqO.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dkYusXMlvX', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, VsCJkmmxmjtBLNfxCv1.cs High entropy of concatenated method names: 'DpQujbVkyj', 'wgPuVGl98R', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Eh8uxMKVbl', '_5f9', 'A6Y'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, qaQ18YrDdYGJ0jQs3n.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'O4e7aEGHyxdH6VlVbs3', 'fUdZInGoc2cOTIY3nGy', 'TJ0pVrGucqlqBqKAhUI', 'YIDCeBGl5XvqrLWFgxg', 'lptTlTG06fAuttG1vct', 'LkGPQQGmUvu30Rm4L1R'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bMPoAwaKedZWH1QaXdy.cs High entropy of concatenated method names: 'FeHLRoQ5Hp', 'iJKL372bNP', '_8r1', 'PkSLwKUd7H', 'dtML8uK1up', 'E0ELvpw9NA', 'yYDLnbrgk6', 'gyjtTYWdShNIdBTXDod', 'vfPpcZWTaBAZmI7F0Js', 'eyTnVsWKAo0R0tqC4V5'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zf9svGK8RpAFJaoFCRD.cs High entropy of concatenated method names: 'JmXqxm1voo', 'IpRRmpTnJnw01AI8Og8', 'x8urldTDSCCcUp5A25c', 'CEYuUFT3nBs5et8KIWD', 'Us4J8gTSPQ5COwGWeh5', 'YZYOfKTz6DdW0EK3p6q', 'G6Jk9YKjHmZhXAFI2VV', 'lFX0BxKbDLLjAJ7KiY8', 'qY8DbrKvskg50VkC8no', 'KN1xcfK10if9mHKh85X'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yfgKpva0LA9xiryYnVp.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'Sjox3Kygnv', 'GD7xwcnw4n', 'Wtox8w2JJt', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wyFyPueEqOnkeL0l7J9.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'DYXfH6xLYZ1WgeD9JSv', 'XCMoN4xEOHI4V33j23p', 'PXrsdNxJuUxeR2UwMs7', 'qa54fLxddxYeLlXh4YZ'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, NLJ7QMAIrQqQnfInus.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'yrNUZQ13pYOk31PbFk2', 'LhgjjS1SCb1tddu2pAY', 'eFuIwA1ny6TQwsFFoA8', 'NDI8Ub1DxZofHGe2tnw', 'sxmDUN1zoddmXnHZ71V', 'FiruXXsj0X2Sr58sgVS'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, MgcuAKmejK1sMdwX8FU.cs High entropy of concatenated method names: 'D7Fr6hRxDCaCfAHDqM3', 'OYSnu5RtmltK23CsYEX', 'frq2DPRVtgQsEB6EHu6', 'iZ2aQ0RcOZc1dqSgqWf', 'XJUJ9XvFlf', 'ho2WgwRF3LErYofq8CS', 'SQNpOgRXeZ09n98opWJ', 'T4Z2GORkBgnrbWe7hii', 'BJHuqaRyFDVP9WPMVa6', 'hJB1RYRajE1yWyeeoag'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, J7pXyta1Te3TG3D8QJm.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bajIvA4OTX5ZB97IMme.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'p7UmiSggKbcYpBrVJTY', 'XGuOmvgZT6yxRhS9eQE', 'n1nruBg2i7m9hvc2Rxn', 'N7d6nog4B5SdSq6a7BJ', 'oNZvxJgOUrdBRh6qWaO', 'EM5qBvg8wi1At99Uf0D'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WcqDlI4yMd1a30fDpM2.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'MiUoEwOeUUBWXq9SEJ2', 'xG5wePORNkQ7IHmCcol', 'iSIcV7OQkL7w3mpD7N6', 'Qq6lBDOrsDfmCrCe4AE', 'gQ4oIHONlY7q2kDlsWJ', 'pSeNv1OqhXXprSGyg1n'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YWnHn8gfB1bqjKRnFx.cs High entropy of concatenated method names: 'TZ5XpO79s', 'XWQIkhcI2', 'Vxp71ak22', 'jjAtjvb5lghEf48Mrye', 'S59VhGbNicm7JxJa7mS', 'Ui7hRmbqLmNPQNQoopY', 'Ul4rs9bCTYuc6U6DqQB', 'KRlWoobWTMYGTR54Tx1', 'p9Fcubb9CUuFIe75dFQ', 'uKWAe3bpp7XanPceWEP'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OKt2PQzP8XeOi31VE9.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'wj3pcZY1hEnwIABUUp1', 'mey7VSYsBX7eWqVNCQB', 'nuPTVsYGuULdYKXuFFN', 'enJfj7YYW3MQNkywnI3', 'ORi950YgFhwmnyQ0PJx', 'LxDxFDYZR3GBHQmZsSl'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, C8j1LANG2TGEEeLI3i.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'oYREZssf6AcimF6KSqS', 'AQ3iCAsHakMlllC9MKW', 'wE9nYTsop8QuWmpRFBu', 'SYHl6XsuOba5SRaLkVq', 'hcS418slOJ1XZuvHKDs', 'jrn8xLs0DKVx8YbHIlA'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YIVcDfYVF7DHmPCwFFB.cs High entropy of concatenated method names: 'gLgF9Q099o', 'q7NFuPyoM2', 'U5eFLSiP22', 'jE3FdBoVoJ', 'M0hFjd8Ok9', 'lthFVSCSQQ', 'bUuFxxfxXm', 'tPeFAMm4Wc', 'N43FFkNVbt', 'Q3HFQEPWG2'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, JNYRMS0HPO6XD0Bn9Y.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PXApvQsK3C3wPrEwBK5', 'UVjFDjsUw2nOCbZALbJ', 'BLJuQGsifmRuZ7WHdcr', 'Ie5ug3sBRnuCyvZNaYE', 'dTIbhYsVFAX0CxJH5ZA', 'OtQsiqscAnucLFFvwKS'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QZkfXP4Ljmy4Xx8GKJy.cs High entropy of concatenated method names: 'dqVZxajNAs', 'JAP83AZKAdFOyYotZuF', 'mfbV5CZUM8amUaTaog5', 'DrBp8RZdB5gSYQfyM18', 'H7pdbFZTiKrqDnA1Bxp', 'aIiJXQZiQC292OEnqQU', 'U4Yg6HZBq94IdgAdsA1', 's5GQ02ZVOEBRc6oVaVv', 'fT56IOZcW871WZ83Non', 'f28'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, mWDkfser2AD2rxryNcY.cs High entropy of concatenated method names: 'gZIyKBkqfJw0SJopLdJ', 'aJSol2k5psFgr0kayA2', 'KCgSDskrm08gB0rCsYp', 'A6t6GdkNgwnO6ZfMq9S', 'IWF', 'j72', 'l9Hweh2dMs', 'UBxwpsJSe2', 'j4z', 'dT1wPLVChy'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, HfN3vpFrv9v3qSTGyY5.cs High entropy of concatenated method names: 'k9YGu2hpH0', 'TuaGd8WH6G', 'vHuGrHvkx4', 'SkeG4bFXiB', 't9lGGtNDTs', 'RBSGmrYph1', 'O0XGeB84yJ', 'a1AGpInfac', 'y7LGPPoS7B', 'qGlGBxGsr3'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Yxrd20KU6xmQpkDrx2p.cs High entropy of concatenated method names: 'NLwYrLnvh6', 'o71Y4DTIvG', 'XENgnUJkue9r0CiiDq3', 'udBkuIJyCeaOg1Wn9UF', 's1Q444JxXQBQXZvPb1P', 'vI5k7hJtJGljGfFJyJD', 'EoJ3dEJFUQ2MsUpA5Ie', 'NHSSFtJXJYSZkeqcnqL', 'RHHU82JahZPHwhwrADv', 'AdPb2aJMmiKrXJLUGIm'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, i3OC7eYb4mpBnKWBTDX.cs High entropy of concatenated method names: 'PEy0kW33lOWEI', 'RrIgW6oJne5pJ96Sb8P', 'tobdHgodO9W75qgIIXy', 'oNQAuBoT7K4uIpehDZk', 'DaL9XgoKPbnJ7yYtcU6', 'yrDKjFoUPNW8yh5YNJp', 'PWHi7GoLLWnj9Vgs25a', 'AltCOQoE2V2GRdGKuBg', 'qFg1SBoiPvNEpDuS5RL', 'H0gp7DoBxgEVKSp9cAy'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, s1EYFDeQJbKLSKirhfF.cs High entropy of concatenated method names: 'f5cRTTS6pA', 'DFaRbMTTmr', 'z2rR1t0PsR', 'JEvRfjp9Ut', 'jc8ryZVQ3A5s2inuc3U', 'sqF4jWVrRXb0wnP4aq3', 'mLDh0BVNoGfqbk2dnTQ', 'YgQ4ooVePDJOgSyjOA7', 'KhheDAVRwO8o0HMbPup', 'XgsCfnVq6IA6v0G5myK'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, fdMTcS4bO4rG4nQwAFq.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Rr1wwGgiJPmdlXqjl60', 'icDZSogB8oUcJpZyVg8', 'j5KjmSgVv7ekafd6uqR', 'dg0DoAgclmUNbfvLN8k', 'n8dQIGgxgPVZ2iXg7JA', 'TEPeelgt5iuefZg62BZ'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yii6wheMCmQtv2Cbvif.cs High entropy of concatenated method names: 'CoBRMIWbAJ', 'zcjRSym94F', 'u1QRHDD3gC', 'xSIXxOVo6L6QLNJqPe7', 'fs0HXbVuYfXBD6V8hps', 'NoOtNaVlyUtV4Bkbgca', 'BuTk15V04Pm1bh55ABl', 'Am2aSZVms1AvmxahJ41', 'WTyYQFVIPxaIr0T5U1O', 'tckvQFVPVVJXvGZ2m83'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, JjX99yeNVmTigQHdTrJ.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'ClnP0LjkAY', 'H29wYX2QCw', 'AENPxebLXX', 'W2sTkutLYOBTg0eNcLO', 'O8l9N8tEJPOs12E01Nm', 'T8y98qtJDBrx4F0f6fO', 'mrtEJotdYRsyRTr4Jms', 'DBOonetTbbUaiLYoLiW'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Mpuv1DmdWqkU1hrkXKl.cs High entropy of concatenated method names: 'xvOuYedhwr', 'A7luqyJFZU', 'is7utBCG9v', 'Ecsu2kLu0u', 'P63uRO2gk1', 'gFVu3tc3Go', 'RqMuwbw0lk', 'UMeu8fC0bU', 'EbWuvvnBuC', 'fptun3UvcO'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kKpvtnFkX0ASVKQOpjT.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'gvlr0Lgk4N', '_3il', 'WSfrZnXd7N', 'kZirO9C6pL', '_78N', 'z3K'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U2SAQHFOXCYffxXfsPr.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, nRPgru493Tehsrh6OFt.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'tiDDhOO08CV3edRtNNS', 'jZnXPxOmXpRLXPs0Yul', 'q1a6RLOIQ0YtPRJ8hgV', 'BBIeEiOPBNjmYNGf6iW', 'mW2CZFO7xnYgFCm576R', 'imnWiSOAtQKD0oYHLmV'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, x0plSfK2e86vUFj9dns.cs High entropy of concatenated method names: 'VaxYaaMRDI', 'McOYWsUCt1', 'oC1YzDp0j0', 'v4Kq0wv0em', 'epcqZ5qEhW', 'Gh5qOtnrc3', 'KSuqiMDwXf', 'fPJqYRUR1K', 'JTDqqRykwt', 'CwwmOIdA17wfWSahld3'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wNQSaet41GSAlpVu6W.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'u5MAg6GYsVjs3GB3F0W', 'xNE6QPGgxv9UFQwZrmL', 'ixwLUYGZIKSXYoq49bX', 'jHiEHdG23tCEikZ9ILI', 'BQwV3XG4y8ouxHYLeFv', 'j99Bw2GO2qJOpqkvHdo'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, M4QXxA4E7JjMplBB9Aa.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'Q5GqIRZkPqg9eq1tSiT', 'qZkf6lZywgs6Hkgumb3', 'hGfq5xZFQQfoGlqo0Oi', 'FdpJZJZXnc5yCnyB4Mp', 'J1cyNyZaBvoEgaLVltk', 'XDva0VZM0RiqkXAnjXn'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FMvgruj53AFPjNmKcF.cs High entropy of concatenated method names: 'wGi9X4lqa', 'Fp4ukj7Xx', 'QCLLqg1Ko', 'v2jdMqlk8', 'UE1jP63hM', 'OAmVAJKIq', 'HmGx8QCk3', 'zOL3OkbZ6u4OFDrxcOU', 'VBL0Asb2Yy91DaMD8X8', 'DmjwfHb4U7IiPBZMO2y'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, KxYqtQyolIb7BvJOcy.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'F3JldDGJO2wSethgORg', 'jFnAmEGdqIWAP7rSHkA', 'JofQ7BGTOtE4EfYoneX', 'WXmDnpGK4VHn6Z2txkj', 'dKBP2eGUnlqWdqwxRde', 'xx9ackGixxyvBl2dNHl'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, MXnpDxmOu7SS5S3RJoY.cs High entropy of concatenated method names: 'LTG9JO0Bs2', 'lba9ykY2jN', 'NrOdCNN7MhqCKfs0N2k', 'hivLGoNAsKXXGkZgsrX', 'l5kQd0N3T5logOTd6I6', 'TLNpNONS8ERXyutr1X5', 'q9T6cvNnSekfMgSiRRb', 'gKeJ6JNDkCvb5Cyx9Dw', 'qWOs3JNzFc0MsiknCNr', 'YeOQ1CqjObbwUSoKRpV'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, suEBtP48jbkK7qZIr4E.cs High entropy of concatenated method names: 'siTZgJwgPy', 'Ik29pQ4kft5SJDfbwcu', 'paVVYP4yOvlssidemnY', 'Mk6LMC4xY9ftoY9LIxq', 'i4ja5C4tbbvi83gqolt', 'e0POlL4FkEmjyAVC4nN', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YA9r7xaJmT30g7WIkWc.cs High entropy of concatenated method names: 'leLxcj77fv', '_1kO', '_9v4', '_294', 'q8axs4su3E', 'euj', 'osFx98rVrp', 'WhWxusKEKY', 'o87', 'M7kxLxtPBL'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, iXn6oYFJGUi54Lp9RMW.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dfG4GRS41U', 'HlR4m6QT1l', 'r8j', 'LS1', '_55S'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, dd6RCYmWbtXAGRP0hM4.cs High entropy of concatenated method names: 'arE3xm5Gf0fRiSZeIgs', 'zCfs6W5YqufS2RSgaCL', 'GqAMyf516Q66rt35PSS', 'fIQKpw5sK14oV8otaiF', 'jDJPWr5gdUmqJQGswFH', 'nfx3vH5ZVGs02tCtEFB', 'oIYkiN52khLcXsNWXr8'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ClpKQ8ezbxVoAo98Y1w.cs High entropy of concatenated method names: 'xGbwjB1q2v', 'eqhwVkHE6X', 'f2FwxyExd6', 'SaaO2gk9tbVhaXLm484', 'ybsBChkp57fPglj9SAx', 'GPUpRAkC7xEZLI2B7hT', 'yLrNtOkWdpi9IVpeOKe', 'MNHPDZkfXYNcwuJjCVd', 'a4G5o0kHlgJFIcbBBu2', 'PkEghkkowkW3DMUtZGe'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, DDNHaJe9dXxr8HNM9G0.cs High entropy of concatenated method names: '_269', '_5E7', 'YIZP3na0BG', 'Mz8', 'd2hP62rAZd', 'MM118etISFAgK2FiyZu', 'xCPMSStPke9eY8LcAUG', 'LFVrFCt7seNow7Bj2w1', 'Fr874ktAxqYw4UiU8v2', 'GoZhgat3eco6b7OZ70H'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kHmc3mKKffFdxPhK0OA.cs High entropy of concatenated method names: 'qPmOUWwYTx', 'bfnOMKMIhs', 'qM6OSBbTZP', 'FqJOHsEOSm', 'oeUOEDjNUC', 'dU2OgygIQp', 'QiwLdO6KiSESPjBxQvZ', 'KRwPlT6Up5pG1XhJqM4', 'ExtXB86dNdooYB1Eroq', 'utnTJg6T5JS6EcUPOyY'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, v6Ba809KpxcyqFPSeT.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'SwwM9VGa0QvuUmPSwxl', 'gQVBl0GM42ByiF7u6mq', 'xBoFvfGwcEiIFbDWFuC', 'lAQspyGhOpk7NmM4T0Z', 'ait6q3GekBH5uQVTqap', 'NhcyIUGR2ZnknEdJMir'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FrWgtOFmwKqCVWccJji.cs High entropy of concatenated method names: 'bTxve50bF8', 'rjfk5PyU9mcUhVVDt80', 'bf210MyiLUmdyuNVJbM', 'DughDcyTiH7kVMMInIG', 'WHnO5ByKqABrHY8UxAK', 'W73wAs74oq', 'xI9wFCdORn', 'trjwQjcOJe', 'gU4whmDMIq', 'avywXiLcnq'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, tHGfSGePnSN5loNOcfS.cs High entropy of concatenated method names: '_223', 'f5hUIfVKaFVYsTeAsy5', 'bFhPmcVUGGXQ2CGts2t', 'glKNZ6Virk5k4BQc6Kq', 'hbf2eCVBhete3Ne4iiv', 'srCtQUVVErd7vrPw2gs', 'VnJf8PVcXmKgSFvweJk', 'BgpLj5VxCMpWgqSaBxR', 'lh0rbOVtHJWvAoQNNNd', 'pLZY2JVkqaKs15fuC3T'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, o4uJpAHHMVmtTsn4jR.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'YPfd24vntYVyKdCqKGR', 'cHZMQtvDMb8LNM4odaU', 'J13QUFvzCFCcolLvUON', 'eLcX3L1jwuoDOvJ4wfG', 'GhgH7P1bSwM4E3tkris', 'SFiHBl1vwelI1ZnbNTE'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, xKNkDPekrtCKJiCidfE.cs High entropy of concatenated method names: 'Y3t3QOVBTv', 'AAY3hQglKD', 'n4trmaxUhyYEDqAJHZZ', 'oBvWX9xiHRNZTybqWHO', 'zh9vcBxT6Urf8Jwfrfy', 'NCXYluxKGcaYsovy7qK', 'Knvh0axBD2kj1VvW5ur', 'j96ENWxVTo9D4x9twQJ'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, GmsxILm2VkZtsAgbVHl.cs High entropy of concatenated method names: 'QCq9buRbgx', 'SHD912UGQZ', 'UCB9fVMo3R', 'fXJg89qrfSYKcDJW0uF', 'yp42LAqR6rJhfnDFwuZ', 'ew0QoqqQSFTal02nXl0', 'HaOpDVqNQ1o0Pd5wOZR', 'IfNuJFqqGvEGCeO5sXn'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.cs High entropy of concatenated method names: 'vmwHVWoFHM6TPj938KT', 'ktl59eoXNVJtT6KLKgm', 'kDUhy1okbYdN1P8wYsj', 'V3VyGVoyon6vSCd2BK2', 'ibuF4NbAvW', 'nPAkOXowr0eNP9t0iRc', 'cu9QBkoh415EI8anAL2', 'U8HLgJoeq0fXV2acn8y', 'E4H8EVoRbc5PdJWAMnZ', 'wMDOQioQArWK6ojif59'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ponBPGFSjYYWTaTNaWS.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, mZddw0KAmT4LH8aKS1a.cs High entropy of concatenated method names: 'gYVtR7xg1e', 'wT1t3IGt1U', 'qqyFMmKA4WYjA7Ay2xD', 'K6BgaGK3IrJEpYhDExF', 'NtJWdAKPLGg5sMpy4Cl', 'HI6746K73ZUrvkpgbJ1', 'ep1tegT7KY', 'lKDMFwUjF0BRtmcFmGT', 'T3x8UYUbPo24usnl6yt', 'lMhLxwKDK6R7q6sPBYQ'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, aWINOhe54FTcqUiKgOr.cs High entropy of concatenated method names: 'ODQRhSExcJ', 'kfXRXkmatR', 'CsnRIUYHi8', 'tUxgAoVEfuWCotqRMc5', 'UM87SdV6Bg6sBC61w9V', 'nW9ZXgVLMKBF6ohthYd', 'W9V7xEVJabnkQEW3RoE', 'cwdRG7XCqP', 'P4nRmtE3Ot', 'j3ERe3pUit'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, hI5jAWmnjbvfOa9N6kn.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QlN77246qOpP8FMnMac.cs High entropy of concatenated method names: 'TAaOZPkj8O', 'iFIOOJJsoa', 'ATDOinXNYB', 'kCDPdQ4IBYT9kbpADQM', 'DaY2HG4PFYES6YQaKvU', 'GbXiZ640Xhcw1r8txc6', 'tPswH14mlx1Ekk7I2Hv', 'RyxZ7847Sh6cNQVf2Kf', 'PUEKOi4A8CASMDvA0HH', 'iuYHGC43EAUYe0v897U'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, SudaoE4QHy79dqhO31N.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'HDAgdXgCfOS36eWQKZ3', 'OqbEPHgWS3t1sqZ0Q7v', 'DxyG6ng9xPkRTXNfZyE', 'aYPnSQgp2RWnDSqkptQ', 'C5fvBTgfVJqkxorDytr', 'hxuriPgH9PpFcbIt1hh'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, d2NBai4MieLWa7xw9m5.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TYePbCgPYgodH3hf0yD', 'orjYWQg7YGLcDrS7OF1', 'Pbtfj0gAxOktwNOpa2X', 'hH2Wqog3pKIiySx6Hh0', 'fCFVKMgStJKj1pAEXtP', 'imlPglgn1PbDJlMbsf9'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, lcIwC8F9WCpv3FBmSoI.cs High entropy of concatenated method names: 'RdA4aYVVbI', 'GJ64XNCeMb', 'wTu4IPR50L', 'kTB47GklW3', 'YZV46ixQ8N', 'b5Y4lFPPv8', 'bf14KD5Wjf', 'Vge4DJcqit', 'wvV45kVl7R', 'JlB4TE7hwb'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, unZDRe42ks2m0tvvwX0.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'dUi8Z82NkikyRg4TjPp', 'XhfaAQ2q8EjbuglfQoS', 'odwxep25kXwuZke1HQt', 'svV2Bk2CuRmSSuCHKaU', 'gP3DeR2W2veKPuIw29w', 'B84GCD29FMPn6rwBrnV'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ndyniN4VfMtAii4D02w.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qtCP1pZuIXCgdtDFsYm', 'HMDCMxZlmnyTdUitYov', 'HAG794Z0srKoJXlLA1w', 'lTZCgaZmDBYDVFVwttD', 'piA9YRZIi1AvZS0yJID', 'qDd0UKZPgrKfg6NsIYY'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kD6e0xFPA3o2UgPstAZ.cs High entropy of concatenated method names: 'aj0vI5b7h1', 'jxLv7Rwssw', 'vyFv6kZB8s', 'H6Cvlyr3pC', 'VOOvKb0fBF', 'ziSbE0yDNEhOsLecqWk', 'Llbos7yzDaCFQhqU21x', 'P5yONAySeMR89yaGXUR', 'o1hdg9ynNTJel65VXWM', 'K84TUEFjGi3UbtVwbAu'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CrlIH9a2N3DHPHhuPO0.cs High entropy of concatenated method names: 'M22d3EFiUG', 'SoZdwvgfc5', 'MWDd8hYqPL', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'bsKdvMCmW3'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, xb42WteyXrnrraCwkE1.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'xFow8S7M3W', 'OaZPsec4TG', 'fOrwvysVwS', 'RXdPjZwhfo', 'g5T3yft5wbQASNj9Q8F', 'LR8ELUtCaLsEVDJKklg', 'SCbEWhtNZnXaEF89dpw'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jxaQrL41pBvfTk3iEdY.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'hATghPZDZnBNZegbugR', 'Xti9RjZzsMKvE5F9Txf', 'Gfxi6C2jQeNRwr5TPo8', 'gRrKYk2bDevTl2fo5Zx', 'GIyBer2vA4NInFSIoSA', 'a0LZS6218o8XsgkIxxy'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b1dvrGah8pK4vSdRZht.cs High entropy of concatenated method names: 'wOLV6eC8QE', 'i1nb8cfwibtcxRLC7W3', 'IaRCn5fhvXKhPvaEyI4', 'UotjcXfaW1f1Dvi3PqT', 'JDPWgpfMVNKobDwLN1G', '_1fi', 'oh7jHopwwN', '_676', 'IG9', 'mdP'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CKhbfiFBiMbG67oB7cq.cs High entropy of concatenated method names: '_7zt', 'CWPnBc7KxL', 'Pp6nJAZvYN', 'MmqnykTbSJ', 'CsZno1FRyC', 'b7VncJ3iZF', 'M8XnsidnAS', 'pnni5FFxbTMmA2kjHEh', 'FlRCrmFtcKjCqUp9J4I', 'gGOovFFVgLoqlnnbBSx'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QBjTIyF1y4jdnYQW0qM.cs High entropy of concatenated method names: 'sFLrh12dFv', 'mMarX4xE7L', 'WlbrIlrg5d', 'R0Zr78W6O2', 'Pcer61MgWY', 'wGpJFCXiuAGy2xvoHYl', 'lax0moXKjJ4SStrYxfs', 'h3Z32xXUBkuQdfIXYJo', 'u0ya2OXB8ENXrh6Cb3L', 'TGhNvEXVV0uXG64qNcy'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WPLdmfFfPr1ZYpLQePI.cs High entropy of concatenated method names: 'iPJnYpljkf', 'Jjtnq19Fsc', 'Bn0ntN2GJU', 'aD8pIHFTQ3lXImJATBG', 'Mmpr9wFKJa4tgcq4q3n', 'QcRkKOFJU9BKBt8pvXb', 'aG39QGFdvCZMdAmB2iH', 'qPcrknFUBoHLyE9HSki', 'bILMTDFiDJGfTwR3h5H', 'VqswLfFBdfpSswCBnoG'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, J7WXVolgNFHWLfd4oV.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'KrI9uNvOIX65Fi7AxtZ', 'sq47Urv8p4g6C0rqZMg', 'odc1Cuv6hy5W4Z0xnJG', 'emY71RvL0gs8rNPZ6kp', 'aDbeFbvEdpvRqfxjgkO', 'EXBEsgvJ7LYCkVS7E6x'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, IPrpOg4ivGQuX1KZ1Z2.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'FaJoWsZrBS7ARdxGDYA', 'AAsGHIZNlMQVD5Vx8T4', 'ddnlQmZqkYtIBeGxnKg', 's6liWFZ580aSR7Lx3Uw', 'Q1Cq5dZCVYUjC60oqO2', 'VLgMw0ZWm7S6Ao9mhMi'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.cs High entropy of concatenated method names: 'i6Tu1UL38O', 'FLyufQWIk8', 'MGpuUjypCJ', 'mhPuMIDE3G', 'd29uSAHC4b', 'oqCuHCwspP', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, X7jS2K4PlAcm9XfQG6l.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XTLk7ogXuSOmPT1dJ7R', 'kur37rgarVt9QPc359Q', 'kgFYaqgMfNn8nMQ3C6A', 'RMXVwIgw4XeL8sZEwA2', 'triOJighi7lIxZy7rVZ', 'EcciOogessLqyVeFBy7'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, irJ7RlqH7Acvs0WRwM.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'SiYKTTt9B', 'efUlOHviYSmB2bToXfS', 'OUhGUFvBQ6y0mL1W82X', 'b85TwCvVP6ZoR39r6Ox', 'pKjwh0vc0xfyOsjE0cx', 'aWqtUdvxJIO0t3fgS2t'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U8QthdKx7SyKMWsocs4.cs High entropy of concatenated method names: 'V4k2ulTmA1', 'uY2MN7UmbZtfCl4xcN5', 'W5QK1RUlmNBqLesIfLa', 'S6eRgGU0VOWBTPZjKTT', 'tCKrN9UIqEafQOt0xg0', 's8RTQNUPCjppcxbcorV', 'dl82PjYpf1', 'Agv2BLOKGg', 'mrE2JyFbAE', 'FxY2yZDTpd'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YI0q4D4mlIjFiBtYt7M.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFhM0yYoAxdXVDvEYhB', 'guyrHoYuVEhyYiFONkp', 'FkPXrYYlB8MT1xdlb4u', 'AUEAqwY0F68UJSAx0WR', 'Quwm0wYmBOxP8OK98bn', 'MP8viLYIXyG136F6Kpu'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, vkm65le0nr3OklfgTBH.cs High entropy of concatenated method names: '_5u9', 'mLGPHkr9fB', 'oLXw036Vn0', 'PFiPos5P3Y', 'ghtfZTxS5NT0PkOCbIa', 'P74RB9xnLcT7wFOM3sI', 'hmoQ16xDBs5a7jYLXg0', 'Kg4HJ7xAKfuHkAnxHdw', 'oOrDaKx3uHgF1FfPc2h', 'uPvDh9xz0CoNrKFIaAp'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Gefqe7aahIUZokdMeEe.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, SarJmF4ecfafqvWFsrF.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'lxKdiVYw3qChcfONLL0', 'YaOMLPYh4BVRdRWvx6a', 'QkPMiBYe3y2Ka0PYrgS', 'hYaolvYRwJYPA0Ddhok', 'KGl5cEYQO89cvSwGm1m', 'Hhk8WGYrb4R6jDMg8o2'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, roMYe0KBxe0WVFOZWH5.cs High entropy of concatenated method names: 'HZWiz2s1Pf', 'zmRY0mwt3S', 'dR6YZicehL', 'w1TYO27Ado', 'CaWYirSeHX', 'z1TYYw7q5D', 'JPDYqsuIei', 'nqVYtLxwNB', 'A5hY22bY5O', 'Hu1YReSJqM'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kW4WyY44EXMCcipRbdE.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Wd3TgTYinyY6tL3qAdW', 'xHKfh5YBUbhVfZwutyL', 'Hw9QF8YVB7kHvWPdm0C', 'e5AnweYcCy4msaq6mOs', 'f9yp6IYxWVqm3STa6iN', 'gFWmIyYtf92DhtXUibS'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, tkBFEPFbrhKpgSJM7qo.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zoH7lyF70Lu6988N8R7.cs High entropy of concatenated method names: 'oswnhWJZ88', 'YCNnXnxQds', 'bInnIVJeOw', 'EwPn7cO0W2', 'kRvn63PPjj', 'y6ErbvFrKBgY0KH4SLe', 'F4RGwGFNNQ6FubucDMa', 'sAcvmIFRbro8jBaC2C8', 'wfQVHKFQ5To8jkvEcSb', 'obLtutFqPuMBDOorwtr'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bE1htpmTHSaciN1BQo0.cs High entropy of concatenated method names: 'VPP9EgVgMc', 'XPr9gToxk4', 'bjl9CRtOZZ', 'VXE9N6uoqa', 'w4m9kOma71', 'g1n9akTyN1', 'narTRBqlG7dq5DcCa6j', 'OVC6sgqosDcI0UGlTDP', 'JKjXyEquyJMQks1tnE1', 'XbW4Irq0I8xbFbotDDT'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, F1ZVGhet8mVhUs9nOxI.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'pf0PisF68A', '_168', 'kklQJutyg963uWs46nQ', 'FHoxmBtFp9JJFTxivUb', 'EFBG81tXVkEBESALcEt', 'E0b0hntajW6uFaUuMcj', 'cn7fg8tMHJN7ZusLoit'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, lrywdWK38UkhXCrPEOE.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'IfFqXed6EB', 'z14qIkxFdA', 'wicq7ebBYT', 'Y3Jq6FIT1c', 'yy3qlSMAj7', 'jU3U2sK2LyKciHBAlj5', 'z1sH4PK4kCv7hWMRBv7', 'xd1vhWKgmE2y6uAPAcn'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CYMUY0KjkCkuAgTiD0K.cs High entropy of concatenated method names: 'MqOYyNwe65', 'a4WYo4nVyT', 'OSeYcsHgO8', 'n4tYs9sKyM', 'iWYY94Fq7i', 'ddEyjJdjVOQjV4nBvmg', 'CuLPC3db4fq19r6aQfr', 'f4uieKJDyYYSk3IhQiI', 'OnGpK7JzWnvod3rj0FJ', 'sHoMF9dvhMaOOrmjrAC'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, T31VDE4xpUBw9hpGOmX.cs High entropy of concatenated method names: 'ciAOcPbj3y', 'F3fOsbERsn', 'WcZO97qEEp', 'nS3KAi8OS0YDU6aZPIL', 'nZXf4C82Jt2jZB2NQjP', 'Srx88N84G9qubwKtZjZ', 'AubLYV88w4YGGgq67GY', 'igbObW86vkrWaUooUCZ', 'r9WPQ48LWrjpluvhwsF', 'GAA5n88EWktkTA1ah1B'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FRfxV14r0lxFXZrXS5T.cs High entropy of concatenated method names: 'z5COBb4Kn1', 'QVSXC18YWUwHZ0nwISZ', 'ec1BMP8gO5NEQh7SA7k', 'kDcpj48s7bxLAoctgQj', 'SWjTlm8GJRS1S5j7IHQ', 'E8Cu4n8ZQLuLbcPw8DW', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, qRquDQai83uOYBFfrPt.cs High entropy of concatenated method names: 'IGD', 'CV5', 'cVoL9srqV5', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, oDSKgMeFfrJ9XFXnTvW.cs High entropy of concatenated method names: 'cCJ25ZCr2G', 'm8v2TRS1b5', 'OSY2bWfU3o', 'w7D21JLICH', 'ceG2f9pvjR', 'Lfm2UWq4yq', 'ahnShMiMQFLRDHejCJm', 'mYJM9RiX3UjorAl9FsK', 'jCL4iiiaGXbdP5sAipG', 'Fqa68Tiwx0qbN6KIbBk'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, XZyIViaVc902mYbsOg5.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, fRecg0IMTTg1CmGU2S.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'bKGlX9sOMky7oWBBeOb', 'fIhNYks8eYu6cdN5BrR', 'XCDJrvs6XPCVTNr1BOK', 'yraVoDsLnqag6TnapDB', 'RrU8mUsE0fTk5JM4vBX', 'JUd8RosJWjPLy5wnYBS'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, dG8w5Q3ZanqpB3yOu4.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TJyQ8S1NHjIeQHvys8r', 'uKweZP1qLYaplZcBjwX', 'tnuD4815rV9LGP8jjot', 'jefSCA1Crr8CYMkjFqj', 'p4LurG1WRkrw7gbSfF0', 'yHcgxV198XMsa1f1FQC'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U9dpYvaqrUuBWyCKLLS.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'wWaduabi4E', 'l5NdLGfN7I', 'plidd3HtAD', 'F0IdjXUlPt', 'RgHdVisMBP', 'DVWdxqZiRk', 'RYDgfOpqiZLGE7BAOfx'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, frKviVDZDMThE4ByFj.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IWaT6EDpA', 'kf5XB3vraB0YOfKv72c', 'yLXkE8vNOiXv2sRNsn7', 'W7PQmVvqwRmr6lGgfa7', 'rc4VmBv5EsiWdXvWQBr', 'HliAJNvCAfikXbytA1n'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, vfL4JnYPjnWYvURPg4.cs High entropy of concatenated method names: 'P4jr3T6LY', 'Xejw3QRSUOBUSwgPVR', 'f2WyN5hU0erlg0PI33', 'J7TAKketddD4wvjhpU', 'vmSUDpQVt1fbhu4lCQ', 'LtVcpCr98OEyqcffyr', 'DAfO0WPKf', 'VGriVQ2Gw', 'k8CYJEkJi', 'ElKq0v5Zo'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wu1K5qe49mDbXhwNpC5.cs High entropy of concatenated method names: 'v5L2xQBpk8', 'tXy2ArksbF', 'sZy2FBnoSC', 'dsW2QSyNks', 'uACqL1Uz42xJlT0w7E5', 'dmXOccUnBP0o69uQruI', 'eFokPsUDH4yZyCOdqTZ', 'LHVkroijhcXvqsCBybr', 'Q08rKeib9cjE6rBaxkT', 'xK5HPFiv1NPkFRGaXjC'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, uinPtEKX5ks0wPYAoBT.cs High entropy of concatenated method names: 'znIOu0xDow', 'VfmOLaqhQm', 'hD2OdKqstp', 'vtHKOa8RYLcfA7lVEA3', 'wjuhIp8QrZeXbPOnLv6', 'Qk0ou68r3Rya1YcJdDQ', 'iQPR1Z8NEgaO6v4Ad2S', 'hv0lmP8qGjW6mjKiKtu', 'RVIZDf85t5531duIW99', 'kuF16a8hXPwlqFw21uK'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, f0JYAF43V2JVkapeTEx.cs High entropy of concatenated method names: 'K2EZa0Anob', 'xMjLsA4qdXBMflIJwtA', 'UvRByl45H30X5mnE4Zq', 'bTmuft4rJ95H2pcO0uk', 'C86Vch4NxFwQNAmD9DO', 'Xw7bIF4CHjNbfpRtOYP', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, XGrKZ74NbqtEXEJqRoy.cs High entropy of concatenated method names: 'sAtO865wYV', 'umrOvSklTv', 'QrnF2ZO8pOywPeGtd5l', 'flkvC4O4w9we4oKBuQV', 'Gkt3k9OOg7RyroCUSyH', 'xGCW5kO6bGW8GWa1ND4', 'n388DAOLErYDg3rTZkN', 'J7ZDkIOEWlSDiabZFYs', 'D4LgoqOJ58LXydHHr0d', 'FNejh6Od8c458ipfxdf'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, hYBAAPaEELKA7GGeEgB.cs High entropy of concatenated method names: 'FtuLJem7ct', 'asNLymt0N7', 'mmXLomVqLo', 'SY7LcNjPlk', 'MebLs9EX7W', 'oaHb3XWSETcdYwBJie8', 'wr3QVEWnIedueBTSEce', 'W7bcKiWD5NFhNwrYceN', 'j1tsu5WzbpyKvDr6JJD', 'bXYUET9jQXPNUx71wGt'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Grshth4pEm8N9DZQKQx.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'HoBDQUZjQUKC6x54pa7', 'UtIrFdZbSpuQgPl3T3Y', 'q0nLCBZvaFoGQ7OxJLP', 'gfCkZhZ113A6ui3EDMN', 'ceZwqmZswVn9t0Aev7j', 'BSLAJ2ZG11AnpGFAcQl'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ApSAAkSNXsI9QTfjE7.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'oV8IEFG7dgKs1P6C7oj', 'y2GRXtGAGpnNI6iTTQF', 'zlT3KuG3wB7lmDT9kcD', 'mQR8VkGSOagio9Swvyb', 'OXGIUXGnnvDfFIIxkGU', 'uh4OgoGD4yLWC9YUort'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Ly3Q2KKfs8gHJxm1oP7.cs High entropy of concatenated method names: 'THRiabScEt', 'aL0iWtNccZ', 'qSTOoEEi9tsCGZM7Qo4', 'ffK6QqEBppydmRhNN8t', 'OMGfJQEVSp2xRbAkSjo', 'BmeLwKEcA53NG4BxylL', 'MEtZBxExnLXwu73dcju', 'LetnCaEtGgtJHa92cMU', 'osY80qEkqUUoBAsS8NE', 'gSBqPCEyCdqSKOTwa5n'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zVPfdxeIW0Yo89m7eUv.cs High entropy of concatenated method names: 'sg9', 'v3yP2Gne8m', 'UMX3apd9Z8', 'i3pPI5QMAR', 'kMYKgcxlZTE5QX5WTEU', 'Ho0QfDx0HWllwiVJgUM', 'qxL9MZxmYutZqHKCAj9', 'GjyHs8xoZgrlAkoMuiB', 'ki89JMxuhJULuhSLInP', 'u2Br0YxIvFeppCcOfPx'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, AnHVB64Y36pO8IxLZc7.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'ot4yceYAeq0w8ZSK4Zw', 'IQtTjJY3dvimwhof4Zl', 'REPTd1YSkcUcEdPWwaK', 'vK3vxcYnQ5EMI0XEi9q', 'JZLvG8YDtdnrAG7CvRp', 'zPYDIPYzaxk3aWdYFq9'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yJx8VDKQf1c6TlIv9FG.cs High entropy of concatenated method names: 'C3YiN0qgQT', 'wK1OmmE1RNNfZjbsSS3', 'YF6K83EshBDAORcWyyi', 'XE2WdWEbkOgKgRA8Ysu', 'KbxRowEvFFpNbltZjgn', 'wTVCnNEGsiDX4pg7u9E', 'UMZyT4EY059AjkKXLa0', 'UEayiNEgNVhZaLL6dCW', 'qVtwYsEZoukv9D7J9DF', 'UQ4qR9E2NKXhCgK50M8'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.cs High entropy of concatenated method names: 'HFy3Gmlr6s', 'Bnw3mS3bY4', 'yMi3eIpQ1g', 'E7c8vqcf5nPkj18Lftu', 'JBy8F0c9pmQ4H3VEatW', 'qeN3gfcpe0kGnD92Nmd', 'QLG5yucHeyTqp93BwtI', 'VvK3tJY0ZH', 'h6F321skHo', 'zt93ROo2Ix'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, uJvRw2epFJjv398J8bj.cs High entropy of concatenated method names: 'QerREwOYR0', 'wQnRgncXPm', 'mT6RCOtNu4', 'pLJRNToPjL', 'qBZRkuui9s', 'kTJtYLcYHIpFwFaLSJo', 'P67FZacgKwS6di4fRXD', 'yGaYL5csCMDkwfCIOd5', 'NFvw4ccGkAxjeyT8FeC', 'qHPYRQcZooMsi1nwDTI'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, UUWdNXaDYwKxyRLF8lr.cs High entropy of concatenated method names: 'Fc1GNdfsWZeJkAGQiWc', 'vZrKyDfGK2k44o50U7D', 'XYZtTJfvYEl6vJlCeeq', 'qxAoprf1ENx4lwDxFuE', 'M6pdXbA64r', 'WM4', '_499', 'E3UdIBxRZZ', 'GHHd7hI6OH', 'guUd6Y0xh3'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yrD1ux4clRu0H9AUBjQ.cs High entropy of concatenated method names: 'd6VZ12ABqT', 'HrXJjG4vk8F8625ykiV', 'ecjn2s418vxaegdtIE3', 'c8JbB94jneoH3l1bINS', 'KX8G564bd9KUvExBRB8', 'Jnj2Ei4sygWXGqP9D6S', 'fn2p4k4GWqHsj4SaPcF', 'EREAjX4YLy6ciooShEW', 'QgGZUexXCV', 'ynD8ns42Im1XuiROd12'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs High entropy of concatenated method names: 'T0RiQW1M6v', 'F2VihHRGwC', 'rVeiX2grc7', 'O6SiIFIpcq', 'qkki7FgR28', 'Dksi69WNx8', 'L2IilFr0LE', 'AIDRMSLksINE3DAIx9n', 'nbGG5OLxKXanrFWEeFe', 'fKDHsgLtpMrGNNXd44D'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, rIxfJY4tw8hMmSHlH36.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'Xurk3hOVgPGEJID9a9x', 'HeRpaOOcKn0bEcsw6xP', 'zXMLQROxRvfLXwCxOQx', 'B37IuhOtAG93gRT90ok', 'RfIjT5OkBXlQJthEc1d', 'DfbFvmOy3bPYBDbx3cP'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WYU9eAmsTrRuJf17lqO.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dkYusXMlvX', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, VsCJkmmxmjtBLNfxCv1.cs High entropy of concatenated method names: 'DpQujbVkyj', 'wgPuVGl98R', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Eh8uxMKVbl', '_5f9', 'A6Y'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, qaQ18YrDdYGJ0jQs3n.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'O4e7aEGHyxdH6VlVbs3', 'fUdZInGoc2cOTIY3nGy', 'TJ0pVrGucqlqBqKAhUI', 'YIDCeBGl5XvqrLWFgxg', 'lptTlTG06fAuttG1vct', 'LkGPQQGmUvu30Rm4L1R'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bMPoAwaKedZWH1QaXdy.cs High entropy of concatenated method names: 'FeHLRoQ5Hp', 'iJKL372bNP', '_8r1', 'PkSLwKUd7H', 'dtML8uK1up', 'E0ELvpw9NA', 'yYDLnbrgk6', 'gyjtTYWdShNIdBTXDod', 'vfPpcZWTaBAZmI7F0Js', 'eyTnVsWKAo0R0tqC4V5'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zf9svGK8RpAFJaoFCRD.cs High entropy of concatenated method names: 'JmXqxm1voo', 'IpRRmpTnJnw01AI8Og8', 'x8urldTDSCCcUp5A25c', 'CEYuUFT3nBs5et8KIWD', 'Us4J8gTSPQ5COwGWeh5', 'YZYOfKTz6DdW0EK3p6q', 'G6Jk9YKjHmZhXAFI2VV', 'lFX0BxKbDLLjAJ7KiY8', 'qY8DbrKvskg50VkC8no', 'KN1xcfK10if9mHKh85X'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yfgKpva0LA9xiryYnVp.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'Sjox3Kygnv', 'GD7xwcnw4n', 'Wtox8w2JJt', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wyFyPueEqOnkeL0l7J9.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'DYXfH6xLYZ1WgeD9JSv', 'XCMoN4xEOHI4V33j23p', 'PXrsdNxJuUxeR2UwMs7', 'qa54fLxddxYeLlXh4YZ'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, NLJ7QMAIrQqQnfInus.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'yrNUZQ13pYOk31PbFk2', 'LhgjjS1SCb1tddu2pAY', 'eFuIwA1ny6TQwsFFoA8', 'NDI8Ub1DxZofHGe2tnw', 'sxmDUN1zoddmXnHZ71V', 'FiruXXsj0X2Sr58sgVS'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, MgcuAKmejK1sMdwX8FU.cs High entropy of concatenated method names: 'D7Fr6hRxDCaCfAHDqM3', 'OYSnu5RtmltK23CsYEX', 'frq2DPRVtgQsEB6EHu6', 'iZ2aQ0RcOZc1dqSgqWf', 'XJUJ9XvFlf', 'ho2WgwRF3LErYofq8CS', 'SQNpOgRXeZ09n98opWJ', 'T4Z2GORkBgnrbWe7hii', 'BJHuqaRyFDVP9WPMVa6', 'hJB1RYRajE1yWyeeoag'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, J7pXyta1Te3TG3D8QJm.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bajIvA4OTX5ZB97IMme.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'p7UmiSggKbcYpBrVJTY', 'XGuOmvgZT6yxRhS9eQE', 'n1nruBg2i7m9hvc2Rxn', 'N7d6nog4B5SdSq6a7BJ', 'oNZvxJgOUrdBRh6qWaO', 'EM5qBvg8wi1At99Uf0D'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WcqDlI4yMd1a30fDpM2.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'MiUoEwOeUUBWXq9SEJ2', 'xG5wePORNkQ7IHmCcol', 'iSIcV7OQkL7w3mpD7N6', 'Qq6lBDOrsDfmCrCe4AE', 'gQ4oIHONlY7q2kDlsWJ', 'pSeNv1OqhXXprSGyg1n'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YWnHn8gfB1bqjKRnFx.cs High entropy of concatenated method names: 'TZ5XpO79s', 'XWQIkhcI2', 'Vxp71ak22', 'jjAtjvb5lghEf48Mrye', 'S59VhGbNicm7JxJa7mS', 'Ui7hRmbqLmNPQNQoopY', 'Ul4rs9bCTYuc6U6DqQB', 'KRlWoobWTMYGTR54Tx1', 'p9Fcubb9CUuFIe75dFQ', 'uKWAe3bpp7XanPceWEP'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OKt2PQzP8XeOi31VE9.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'wj3pcZY1hEnwIABUUp1', 'mey7VSYsBX7eWqVNCQB', 'nuPTVsYGuULdYKXuFFN', 'enJfj7YYW3MQNkywnI3', 'ORi950YgFhwmnyQ0PJx', 'LxDxFDYZR3GBHQmZsSl'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, C8j1LANG2TGEEeLI3i.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'oYREZssf6AcimF6KSqS', 'AQ3iCAsHakMlllC9MKW', 'wE9nYTsop8QuWmpRFBu', 'SYHl6XsuOba5SRaLkVq', 'hcS418slOJ1XZuvHKDs', 'jrn8xLs0DKVx8YbHIlA'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YIVcDfYVF7DHmPCwFFB.cs High entropy of concatenated method names: 'gLgF9Q099o', 'q7NFuPyoM2', 'U5eFLSiP22', 'jE3FdBoVoJ', 'M0hFjd8Ok9', 'lthFVSCSQQ', 'bUuFxxfxXm', 'tPeFAMm4Wc', 'N43FFkNVbt', 'Q3HFQEPWG2'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, JNYRMS0HPO6XD0Bn9Y.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PXApvQsK3C3wPrEwBK5', 'UVjFDjsUw2nOCbZALbJ', 'BLJuQGsifmRuZ7WHdcr', 'Ie5ug3sBRnuCyvZNaYE', 'dTIbhYsVFAX0CxJH5ZA', 'OtQsiqscAnucLFFvwKS'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QZkfXP4Ljmy4Xx8GKJy.cs High entropy of concatenated method names: 'dqVZxajNAs', 'JAP83AZKAdFOyYotZuF', 'mfbV5CZUM8amUaTaog5', 'DrBp8RZdB5gSYQfyM18', 'H7pdbFZTiKrqDnA1Bxp', 'aIiJXQZiQC292OEnqQU', 'U4Yg6HZBq94IdgAdsA1', 's5GQ02ZVOEBRc6oVaVv', 'fT56IOZcW871WZ83Non', 'f28'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, mWDkfser2AD2rxryNcY.cs High entropy of concatenated method names: 'gZIyKBkqfJw0SJopLdJ', 'aJSol2k5psFgr0kayA2', 'KCgSDskrm08gB0rCsYp', 'A6t6GdkNgwnO6ZfMq9S', 'IWF', 'j72', 'l9Hweh2dMs', 'UBxwpsJSe2', 'j4z', 'dT1wPLVChy'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, HfN3vpFrv9v3qSTGyY5.cs High entropy of concatenated method names: 'k9YGu2hpH0', 'TuaGd8WH6G', 'vHuGrHvkx4', 'SkeG4bFXiB', 't9lGGtNDTs', 'RBSGmrYph1', 'O0XGeB84yJ', 'a1AGpInfac', 'y7LGPPoS7B', 'qGlGBxGsr3'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Yxrd20KU6xmQpkDrx2p.cs High entropy of concatenated method names: 'NLwYrLnvh6', 'o71Y4DTIvG', 'XENgnUJkue9r0CiiDq3', 'udBkuIJyCeaOg1Wn9UF', 's1Q444JxXQBQXZvPb1P', 'vI5k7hJtJGljGfFJyJD', 'EoJ3dEJFUQ2MsUpA5Ie', 'NHSSFtJXJYSZkeqcnqL', 'RHHU82JahZPHwhwrADv', 'AdPb2aJMmiKrXJLUGIm'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, i3OC7eYb4mpBnKWBTDX.cs High entropy of concatenated method names: 'PEy0kW33lOWEI', 'RrIgW6oJne5pJ96Sb8P', 'tobdHgodO9W75qgIIXy', 'oNQAuBoT7K4uIpehDZk', 'DaL9XgoKPbnJ7yYtcU6', 'yrDKjFoUPNW8yh5YNJp', 'PWHi7GoLLWnj9Vgs25a', 'AltCOQoE2V2GRdGKuBg', 'qFg1SBoiPvNEpDuS5RL', 'H0gp7DoBxgEVKSp9cAy'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, s1EYFDeQJbKLSKirhfF.cs High entropy of concatenated method names: 'f5cRTTS6pA', 'DFaRbMTTmr', 'z2rR1t0PsR', 'JEvRfjp9Ut', 'jc8ryZVQ3A5s2inuc3U', 'sqF4jWVrRXb0wnP4aq3', 'mLDh0BVNoGfqbk2dnTQ', 'YgQ4ooVePDJOgSyjOA7', 'KhheDAVRwO8o0HMbPup', 'XgsCfnVq6IA6v0G5myK'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, fdMTcS4bO4rG4nQwAFq.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Rr1wwGgiJPmdlXqjl60', 'icDZSogB8oUcJpZyVg8', 'j5KjmSgVv7ekafd6uqR', 'dg0DoAgclmUNbfvLN8k', 'n8dQIGgxgPVZ2iXg7JA', 'TEPeelgt5iuefZg62BZ'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yii6wheMCmQtv2Cbvif.cs High entropy of concatenated method names: 'CoBRMIWbAJ', 'zcjRSym94F', 'u1QRHDD3gC', 'xSIXxOVo6L6QLNJqPe7', 'fs0HXbVuYfXBD6V8hps', 'NoOtNaVlyUtV4Bkbgca', 'BuTk15V04Pm1bh55ABl', 'Am2aSZVms1AvmxahJ41', 'WTyYQFVIPxaIr0T5U1O', 'tckvQFVPVVJXvGZ2m83'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, JjX99yeNVmTigQHdTrJ.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'ClnP0LjkAY', 'H29wYX2QCw', 'AENPxebLXX', 'W2sTkutLYOBTg0eNcLO', 'O8l9N8tEJPOs12E01Nm', 'T8y98qtJDBrx4F0f6fO', 'mrtEJotdYRsyRTr4Jms', 'DBOonetTbbUaiLYoLiW'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Mpuv1DmdWqkU1hrkXKl.cs High entropy of concatenated method names: 'xvOuYedhwr', 'A7luqyJFZU', 'is7utBCG9v', 'Ecsu2kLu0u', 'P63uRO2gk1', 'gFVu3tc3Go', 'RqMuwbw0lk', 'UMeu8fC0bU', 'EbWuvvnBuC', 'fptun3UvcO'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kKpvtnFkX0ASVKQOpjT.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'gvlr0Lgk4N', '_3il', 'WSfrZnXd7N', 'kZirO9C6pL', '_78N', 'z3K'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U2SAQHFOXCYffxXfsPr.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, nRPgru493Tehsrh6OFt.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'tiDDhOO08CV3edRtNNS', 'jZnXPxOmXpRLXPs0Yul', 'q1a6RLOIQ0YtPRJ8hgV', 'BBIeEiOPBNjmYNGf6iW', 'mW2CZFO7xnYgFCm576R', 'imnWiSOAtQKD0oYHLmV'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, x0plSfK2e86vUFj9dns.cs High entropy of concatenated method names: 'VaxYaaMRDI', 'McOYWsUCt1', 'oC1YzDp0j0', 'v4Kq0wv0em', 'epcqZ5qEhW', 'Gh5qOtnrc3', 'KSuqiMDwXf', 'fPJqYRUR1K', 'JTDqqRykwt', 'CwwmOIdA17wfWSahld3'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wNQSaet41GSAlpVu6W.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'u5MAg6GYsVjs3GB3F0W', 'xNE6QPGgxv9UFQwZrmL', 'ixwLUYGZIKSXYoq49bX', 'jHiEHdG23tCEikZ9ILI', 'BQwV3XG4y8ouxHYLeFv', 'j99Bw2GO2qJOpqkvHdo'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, M4QXxA4E7JjMplBB9Aa.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'Q5GqIRZkPqg9eq1tSiT', 'qZkf6lZywgs6Hkgumb3', 'hGfq5xZFQQfoGlqo0Oi', 'FdpJZJZXnc5yCnyB4Mp', 'J1cyNyZaBvoEgaLVltk', 'XDva0VZM0RiqkXAnjXn'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FMvgruj53AFPjNmKcF.cs High entropy of concatenated method names: 'wGi9X4lqa', 'Fp4ukj7Xx', 'QCLLqg1Ko', 'v2jdMqlk8', 'UE1jP63hM', 'OAmVAJKIq', 'HmGx8QCk3', 'zOL3OkbZ6u4OFDrxcOU', 'VBL0Asb2Yy91DaMD8X8', 'DmjwfHb4U7IiPBZMO2y'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, KxYqtQyolIb7BvJOcy.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'F3JldDGJO2wSethgORg', 'jFnAmEGdqIWAP7rSHkA', 'JofQ7BGTOtE4EfYoneX', 'WXmDnpGK4VHn6Z2txkj', 'dKBP2eGUnlqWdqwxRde', 'xx9ackGixxyvBl2dNHl'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, MXnpDxmOu7SS5S3RJoY.cs High entropy of concatenated method names: 'LTG9JO0Bs2', 'lba9ykY2jN', 'NrOdCNN7MhqCKfs0N2k', 'hivLGoNAsKXXGkZgsrX', 'l5kQd0N3T5logOTd6I6', 'TLNpNONS8ERXyutr1X5', 'q9T6cvNnSekfMgSiRRb', 'gKeJ6JNDkCvb5Cyx9Dw', 'qWOs3JNzFc0MsiknCNr', 'YeOQ1CqjObbwUSoKRpV'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, suEBtP48jbkK7qZIr4E.cs High entropy of concatenated method names: 'siTZgJwgPy', 'Ik29pQ4kft5SJDfbwcu', 'paVVYP4yOvlssidemnY', 'Mk6LMC4xY9ftoY9LIxq', 'i4ja5C4tbbvi83gqolt', 'e0POlL4FkEmjyAVC4nN', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YA9r7xaJmT30g7WIkWc.cs High entropy of concatenated method names: 'leLxcj77fv', '_1kO', '_9v4', '_294', 'q8axs4su3E', 'euj', 'osFx98rVrp', 'WhWxusKEKY', 'o87', 'M7kxLxtPBL'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, iXn6oYFJGUi54Lp9RMW.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dfG4GRS41U', 'HlR4m6QT1l', 'r8j', 'LS1', '_55S'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, dd6RCYmWbtXAGRP0hM4.cs High entropy of concatenated method names: 'arE3xm5Gf0fRiSZeIgs', 'zCfs6W5YqufS2RSgaCL', 'GqAMyf516Q66rt35PSS', 'fIQKpw5sK14oV8otaiF', 'jDJPWr5gdUmqJQGswFH', 'nfx3vH5ZVGs02tCtEFB', 'oIYkiN52khLcXsNWXr8'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ClpKQ8ezbxVoAo98Y1w.cs High entropy of concatenated method names: 'xGbwjB1q2v', 'eqhwVkHE6X', 'f2FwxyExd6', 'SaaO2gk9tbVhaXLm484', 'ybsBChkp57fPglj9SAx', 'GPUpRAkC7xEZLI2B7hT', 'yLrNtOkWdpi9IVpeOKe', 'MNHPDZkfXYNcwuJjCVd', 'a4G5o0kHlgJFIcbBBu2', 'PkEghkkowkW3DMUtZGe'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, DDNHaJe9dXxr8HNM9G0.cs High entropy of concatenated method names: '_269', '_5E7', 'YIZP3na0BG', 'Mz8', 'd2hP62rAZd', 'MM118etISFAgK2FiyZu', 'xCPMSStPke9eY8LcAUG', 'LFVrFCt7seNow7Bj2w1', 'Fr874ktAxqYw4UiU8v2', 'GoZhgat3eco6b7OZ70H'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kHmc3mKKffFdxPhK0OA.cs High entropy of concatenated method names: 'qPmOUWwYTx', 'bfnOMKMIhs', 'qM6OSBbTZP', 'FqJOHsEOSm', 'oeUOEDjNUC', 'dU2OgygIQp', 'QiwLdO6KiSESPjBxQvZ', 'KRwPlT6Up5pG1XhJqM4', 'ExtXB86dNdooYB1Eroq', 'utnTJg6T5JS6EcUPOyY'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, v6Ba809KpxcyqFPSeT.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'SwwM9VGa0QvuUmPSwxl', 'gQVBl0GM42ByiF7u6mq', 'xBoFvfGwcEiIFbDWFuC', 'lAQspyGhOpk7NmM4T0Z', 'ait6q3GekBH5uQVTqap', 'NhcyIUGR2ZnknEdJMir'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FrWgtOFmwKqCVWccJji.cs High entropy of concatenated method names: 'bTxve50bF8', 'rjfk5PyU9mcUhVVDt80', 'bf210MyiLUmdyuNVJbM', 'DughDcyTiH7kVMMInIG', 'WHnO5ByKqABrHY8UxAK', 'W73wAs74oq', 'xI9wFCdORn', 'trjwQjcOJe', 'gU4whmDMIq', 'avywXiLcnq'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, tHGfSGePnSN5loNOcfS.cs High entropy of concatenated method names: '_223', 'f5hUIfVKaFVYsTeAsy5', 'bFhPmcVUGGXQ2CGts2t', 'glKNZ6Virk5k4BQc6Kq', 'hbf2eCVBhete3Ne4iiv', 'srCtQUVVErd7vrPw2gs', 'VnJf8PVcXmKgSFvweJk', 'BgpLj5VxCMpWgqSaBxR', 'lh0rbOVtHJWvAoQNNNd', 'pLZY2JVkqaKs15fuC3T'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, o4uJpAHHMVmtTsn4jR.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'YPfd24vntYVyKdCqKGR', 'cHZMQtvDMb8LNM4odaU', 'J13QUFvzCFCcolLvUON', 'eLcX3L1jwuoDOvJ4wfG', 'GhgH7P1bSwM4E3tkris', 'SFiHBl1vwelI1ZnbNTE'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, xKNkDPekrtCKJiCidfE.cs High entropy of concatenated method names: 'Y3t3QOVBTv', 'AAY3hQglKD', 'n4trmaxUhyYEDqAJHZZ', 'oBvWX9xiHRNZTybqWHO', 'zh9vcBxT6Urf8Jwfrfy', 'NCXYluxKGcaYsovy7qK', 'Knvh0axBD2kj1VvW5ur', 'j96ENWxVTo9D4x9twQJ'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, GmsxILm2VkZtsAgbVHl.cs High entropy of concatenated method names: 'QCq9buRbgx', 'SHD912UGQZ', 'UCB9fVMo3R', 'fXJg89qrfSYKcDJW0uF', 'yp42LAqR6rJhfnDFwuZ', 'ew0QoqqQSFTal02nXl0', 'HaOpDVqNQ1o0Pd5wOZR', 'IfNuJFqqGvEGCeO5sXn'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.cs High entropy of concatenated method names: 'vmwHVWoFHM6TPj938KT', 'ktl59eoXNVJtT6KLKgm', 'kDUhy1okbYdN1P8wYsj', 'V3VyGVoyon6vSCd2BK2', 'ibuF4NbAvW', 'nPAkOXowr0eNP9t0iRc', 'cu9QBkoh415EI8anAL2', 'U8HLgJoeq0fXV2acn8y', 'E4H8EVoRbc5PdJWAMnZ', 'wMDOQioQArWK6ojif59'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ponBPGFSjYYWTaTNaWS.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, mZddw0KAmT4LH8aKS1a.cs High entropy of concatenated method names: 'gYVtR7xg1e', 'wT1t3IGt1U', 'qqyFMmKA4WYjA7Ay2xD', 'K6BgaGK3IrJEpYhDExF', 'NtJWdAKPLGg5sMpy4Cl', 'HI6746K73ZUrvkpgbJ1', 'ep1tegT7KY', 'lKDMFwUjF0BRtmcFmGT', 'T3x8UYUbPo24usnl6yt', 'lMhLxwKDK6R7q6sPBYQ'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, aWINOhe54FTcqUiKgOr.cs High entropy of concatenated method names: 'ODQRhSExcJ', 'kfXRXkmatR', 'CsnRIUYHi8', 'tUxgAoVEfuWCotqRMc5', 'UM87SdV6Bg6sBC61w9V', 'nW9ZXgVLMKBF6ohthYd', 'W9V7xEVJabnkQEW3RoE', 'cwdRG7XCqP', 'P4nRmtE3Ot', 'j3ERe3pUit'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, hI5jAWmnjbvfOa9N6kn.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QlN77246qOpP8FMnMac.cs High entropy of concatenated method names: 'TAaOZPkj8O', 'iFIOOJJsoa', 'ATDOinXNYB', 'kCDPdQ4IBYT9kbpADQM', 'DaY2HG4PFYES6YQaKvU', 'GbXiZ640Xhcw1r8txc6', 'tPswH14mlx1Ekk7I2Hv', 'RyxZ7847Sh6cNQVf2Kf', 'PUEKOi4A8CASMDvA0HH', 'iuYHGC43EAUYe0v897U'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, SudaoE4QHy79dqhO31N.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'HDAgdXgCfOS36eWQKZ3', 'OqbEPHgWS3t1sqZ0Q7v', 'DxyG6ng9xPkRTXNfZyE', 'aYPnSQgp2RWnDSqkptQ', 'C5fvBTgfVJqkxorDytr', 'hxuriPgH9PpFcbIt1hh'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, d2NBai4MieLWa7xw9m5.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TYePbCgPYgodH3hf0yD', 'orjYWQg7YGLcDrS7OF1', 'Pbtfj0gAxOktwNOpa2X', 'hH2Wqog3pKIiySx6Hh0', 'fCFVKMgStJKj1pAEXtP', 'imlPglgn1PbDJlMbsf9'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, lcIwC8F9WCpv3FBmSoI.cs High entropy of concatenated method names: 'RdA4aYVVbI', 'GJ64XNCeMb', 'wTu4IPR50L', 'kTB47GklW3', 'YZV46ixQ8N', 'b5Y4lFPPv8', 'bf14KD5Wjf', 'Vge4DJcqit', 'wvV45kVl7R', 'JlB4TE7hwb'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, unZDRe42ks2m0tvvwX0.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'dUi8Z82NkikyRg4TjPp', 'XhfaAQ2q8EjbuglfQoS', 'odwxep25kXwuZke1HQt', 'svV2Bk2CuRmSSuCHKaU', 'gP3DeR2W2veKPuIw29w', 'B84GCD29FMPn6rwBrnV'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ndyniN4VfMtAii4D02w.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qtCP1pZuIXCgdtDFsYm', 'HMDCMxZlmnyTdUitYov', 'HAG794Z0srKoJXlLA1w', 'lTZCgaZmDBYDVFVwttD', 'piA9YRZIi1AvZS0yJID', 'qDd0UKZPgrKfg6NsIYY'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kD6e0xFPA3o2UgPstAZ.cs High entropy of concatenated method names: 'aj0vI5b7h1', 'jxLv7Rwssw', 'vyFv6kZB8s', 'H6Cvlyr3pC', 'VOOvKb0fBF', 'ziSbE0yDNEhOsLecqWk', 'Llbos7yzDaCFQhqU21x', 'P5yONAySeMR89yaGXUR', 'o1hdg9ynNTJel65VXWM', 'K84TUEFjGi3UbtVwbAu'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CrlIH9a2N3DHPHhuPO0.cs High entropy of concatenated method names: 'M22d3EFiUG', 'SoZdwvgfc5', 'MWDd8hYqPL', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'bsKdvMCmW3'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, xb42WteyXrnrraCwkE1.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'xFow8S7M3W', 'OaZPsec4TG', 'fOrwvysVwS', 'RXdPjZwhfo', 'g5T3yft5wbQASNj9Q8F', 'LR8ELUtCaLsEVDJKklg', 'SCbEWhtNZnXaEF89dpw'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jxaQrL41pBvfTk3iEdY.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'hATghPZDZnBNZegbugR', 'Xti9RjZzsMKvE5F9Txf', 'Gfxi6C2jQeNRwr5TPo8', 'gRrKYk2bDevTl2fo5Zx', 'GIyBer2vA4NInFSIoSA', 'a0LZS6218o8XsgkIxxy'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b1dvrGah8pK4vSdRZht.cs High entropy of concatenated method names: 'wOLV6eC8QE', 'i1nb8cfwibtcxRLC7W3', 'IaRCn5fhvXKhPvaEyI4', 'UotjcXfaW1f1Dvi3PqT', 'JDPWgpfMVNKobDwLN1G', '_1fi', 'oh7jHopwwN', '_676', 'IG9', 'mdP'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CKhbfiFBiMbG67oB7cq.cs High entropy of concatenated method names: '_7zt', 'CWPnBc7KxL', 'Pp6nJAZvYN', 'MmqnykTbSJ', 'CsZno1FRyC', 'b7VncJ3iZF', 'M8XnsidnAS', 'pnni5FFxbTMmA2kjHEh', 'FlRCrmFtcKjCqUp9J4I', 'gGOovFFVgLoqlnnbBSx'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QBjTIyF1y4jdnYQW0qM.cs High entropy of concatenated method names: 'sFLrh12dFv', 'mMarX4xE7L', 'WlbrIlrg5d', 'R0Zr78W6O2', 'Pcer61MgWY', 'wGpJFCXiuAGy2xvoHYl', 'lax0moXKjJ4SStrYxfs', 'h3Z32xXUBkuQdfIXYJo', 'u0ya2OXB8ENXrh6Cb3L', 'TGhNvEXVV0uXG64qNcy'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WPLdmfFfPr1ZYpLQePI.cs High entropy of concatenated method names: 'iPJnYpljkf', 'Jjtnq19Fsc', 'Bn0ntN2GJU', 'aD8pIHFTQ3lXImJATBG', 'Mmpr9wFKJa4tgcq4q3n', 'QcRkKOFJU9BKBt8pvXb', 'aG39QGFdvCZMdAmB2iH', 'qPcrknFUBoHLyE9HSki', 'bILMTDFiDJGfTwR3h5H', 'VqswLfFBdfpSswCBnoG'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, J7WXVolgNFHWLfd4oV.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'KrI9uNvOIX65Fi7AxtZ', 'sq47Urv8p4g6C0rqZMg', 'odc1Cuv6hy5W4Z0xnJG', 'emY71RvL0gs8rNPZ6kp', 'aDbeFbvEdpvRqfxjgkO', 'EXBEsgvJ7LYCkVS7E6x'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, IPrpOg4ivGQuX1KZ1Z2.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'FaJoWsZrBS7ARdxGDYA', 'AAsGHIZNlMQVD5Vx8T4', 'ddnlQmZqkYtIBeGxnKg', 's6liWFZ580aSR7Lx3Uw', 'Q1Cq5dZCVYUjC60oqO2', 'VLgMw0ZWm7S6Ao9mhMi'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.cs High entropy of concatenated method names: 'i6Tu1UL38O', 'FLyufQWIk8', 'MGpuUjypCJ', 'mhPuMIDE3G', 'd29uSAHC4b', 'oqCuHCwspP', '_838', 'vVb', 'g24', '_9oL'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, X7jS2K4PlAcm9XfQG6l.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XTLk7ogXuSOmPT1dJ7R', 'kur37rgarVt9QPc359Q', 'kgFYaqgMfNn8nMQ3C6A', 'RMXVwIgw4XeL8sZEwA2', 'triOJighi7lIxZy7rVZ', 'EcciOogessLqyVeFBy7'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, irJ7RlqH7Acvs0WRwM.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'SiYKTTt9B', 'efUlOHviYSmB2bToXfS', 'OUhGUFvBQ6y0mL1W82X', 'b85TwCvVP6ZoR39r6Ox', 'pKjwh0vc0xfyOsjE0cx', 'aWqtUdvxJIO0t3fgS2t'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U8QthdKx7SyKMWsocs4.cs High entropy of concatenated method names: 'V4k2ulTmA1', 'uY2MN7UmbZtfCl4xcN5', 'W5QK1RUlmNBqLesIfLa', 'S6eRgGU0VOWBTPZjKTT', 'tCKrN9UIqEafQOt0xg0', 's8RTQNUPCjppcxbcorV', 'dl82PjYpf1', 'Agv2BLOKGg', 'mrE2JyFbAE', 'FxY2yZDTpd'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YI0q4D4mlIjFiBtYt7M.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFhM0yYoAxdXVDvEYhB', 'guyrHoYuVEhyYiFONkp', 'FkPXrYYlB8MT1xdlb4u', 'AUEAqwY0F68UJSAx0WR', 'Quwm0wYmBOxP8OK98bn', 'MP8viLYIXyG136F6Kpu'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, vkm65le0nr3OklfgTBH.cs High entropy of concatenated method names: '_5u9', 'mLGPHkr9fB', 'oLXw036Vn0', 'PFiPos5P3Y', 'ghtfZTxS5NT0PkOCbIa', 'P74RB9xnLcT7wFOM3sI', 'hmoQ16xDBs5a7jYLXg0', 'Kg4HJ7xAKfuHkAnxHdw', 'oOrDaKx3uHgF1FfPc2h', 'uPvDh9xz0CoNrKFIaAp'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Gefqe7aahIUZokdMeEe.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, SarJmF4ecfafqvWFsrF.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'lxKdiVYw3qChcfONLL0', 'YaOMLPYh4BVRdRWvx6a', 'QkPMiBYe3y2Ka0PYrgS', 'hYaolvYRwJYPA0Ddhok', 'KGl5cEYQO89cvSwGm1m', 'Hhk8WGYrb4R6jDMg8o2'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, roMYe0KBxe0WVFOZWH5.cs High entropy of concatenated method names: 'HZWiz2s1Pf', 'zmRY0mwt3S', 'dR6YZicehL', 'w1TYO27Ado', 'CaWYirSeHX', 'z1TYYw7q5D', 'JPDYqsuIei', 'nqVYtLxwNB', 'A5hY22bY5O', 'Hu1YReSJqM'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kW4WyY44EXMCcipRbdE.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Wd3TgTYinyY6tL3qAdW', 'xHKfh5YBUbhVfZwutyL', 'Hw9QF8YVB7kHvWPdm0C', 'e5AnweYcCy4msaq6mOs', 'f9yp6IYxWVqm3STa6iN', 'gFWmIyYtf92DhtXUibS'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, tkBFEPFbrhKpgSJM7qo.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zoH7lyF70Lu6988N8R7.cs High entropy of concatenated method names: 'oswnhWJZ88', 'YCNnXnxQds', 'bInnIVJeOw', 'EwPn7cO0W2', 'kRvn63PPjj', 'y6ErbvFrKBgY0KH4SLe', 'F4RGwGFNNQ6FubucDMa', 'sAcvmIFRbro8jBaC2C8', 'wfQVHKFQ5To8jkvEcSb', 'obLtutFqPuMBDOorwtr'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bE1htpmTHSaciN1BQo0.cs High entropy of concatenated method names: 'VPP9EgVgMc', 'XPr9gToxk4', 'bjl9CRtOZZ', 'VXE9N6uoqa', 'w4m9kOma71', 'g1n9akTyN1', 'narTRBqlG7dq5DcCa6j', 'OVC6sgqosDcI0UGlTDP', 'JKjXyEquyJMQks1tnE1', 'XbW4Irq0I8xbFbotDDT'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, F1ZVGhet8mVhUs9nOxI.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'pf0PisF68A', '_168', 'kklQJutyg963uWs46nQ', 'FHoxmBtFp9JJFTxivUb', 'EFBG81tXVkEBESALcEt', 'E0b0hntajW6uFaUuMcj', 'cn7fg8tMHJN7ZusLoit'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, lrywdWK38UkhXCrPEOE.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'IfFqXed6EB', 'z14qIkxFdA', 'wicq7ebBYT', 'Y3Jq6FIT1c', 'yy3qlSMAj7', 'jU3U2sK2LyKciHBAlj5', 'z1sH4PK4kCv7hWMRBv7', 'xd1vhWKgmE2y6uAPAcn'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CYMUY0KjkCkuAgTiD0K.cs High entropy of concatenated method names: 'MqOYyNwe65', 'a4WYo4nVyT', 'OSeYcsHgO8', 'n4tYs9sKyM', 'iWYY94Fq7i', 'ddEyjJdjVOQjV4nBvmg', 'CuLPC3db4fq19r6aQfr', 'f4uieKJDyYYSk3IhQiI', 'OnGpK7JzWnvod3rj0FJ', 'sHoMF9dvhMaOOrmjrAC'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, T31VDE4xpUBw9hpGOmX.cs High entropy of concatenated method names: 'ciAOcPbj3y', 'F3fOsbERsn', 'WcZO97qEEp', 'nS3KAi8OS0YDU6aZPIL', 'nZXf4C82Jt2jZB2NQjP', 'Srx88N84G9qubwKtZjZ', 'AubLYV88w4YGGgq67GY', 'igbObW86vkrWaUooUCZ', 'r9WPQ48LWrjpluvhwsF', 'GAA5n88EWktkTA1ah1B'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FRfxV14r0lxFXZrXS5T.cs High entropy of concatenated method names: 'z5COBb4Kn1', 'QVSXC18YWUwHZ0nwISZ', 'ec1BMP8gO5NEQh7SA7k', 'kDcpj48s7bxLAoctgQj', 'SWjTlm8GJRS1S5j7IHQ', 'E8Cu4n8ZQLuLbcPw8DW', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, qRquDQai83uOYBFfrPt.cs High entropy of concatenated method names: 'IGD', 'CV5', 'cVoL9srqV5', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, oDSKgMeFfrJ9XFXnTvW.cs High entropy of concatenated method names: 'cCJ25ZCr2G', 'm8v2TRS1b5', 'OSY2bWfU3o', 'w7D21JLICH', 'ceG2f9pvjR', 'Lfm2UWq4yq', 'ahnShMiMQFLRDHejCJm', 'mYJM9RiX3UjorAl9FsK', 'jCL4iiiaGXbdP5sAipG', 'Fqa68Tiwx0qbN6KIbBk'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files with benign system names
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Recovery\explorer.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\addins\audiodg.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DQ2M9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KH7DR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VNH60.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M0CO5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9OG1R.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CKDJ7.tmp Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9PAS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsdt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe File created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GMKU6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7KMRP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-HUQAI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MH2RS.tmp Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7HO40.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6IE0O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4VJ8E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\management.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1EODK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfr.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KP5B8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\uChcvn3L6R.exe File created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\keytool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MITQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dll (copy) Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G6G2A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FKC0I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\nio.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DLMB6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-I5RLV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KL3UV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\npjp2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-17AF0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LUGNS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-L2DJE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-U0SIJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TH2Q9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5VJPG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\klist.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SGAAD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2native.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-P9144.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV1CO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ML2GN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_common.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AASG5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VI3JJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe (copy) Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Recovery\explorer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\mlib_image.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-QS1JT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.cpl (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-78EDT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DCG3E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_sw.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunmscapi.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9PR86.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ktab.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M6OGV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F8M96.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-94OVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O5MSC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F39U2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0TC1S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy) Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\tnameserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1NNTS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\w2k_lsa_auth.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FLHTG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6TBSI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-D49GQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RJ8O6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\lcms.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jpeg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3CGHC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G1B5Q.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C92NJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S4T07.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9B0I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-23BHM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DK2B0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8BCTR.tmp Jump to dropped file
Source: C:\Users\user\Desktop\uChcvn3L6R.exe File created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jdwp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LS3UA.tmp Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Recovery\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsoundds.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OMDGH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M8DR9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxmedia.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\resource.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\kcms.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1D9V4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TJN2U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RKJ6P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssv.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-OVE01.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6EJKR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-H7O6N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_d3d.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-7TEQQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8GHN8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GFQTQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2launcher.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FDP9A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe File created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\t2k.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RPV0O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\npt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-1RSEV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\npdeployJava1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-069DQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KFFNG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3TU72.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-NE044.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FA3UT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7LLC2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssvagent.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-90393.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O1CKK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2ssv.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\deployJava1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\servertool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2KSRS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll (copy) Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\addins\audiodg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MV7G1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F27BH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-11A56.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RMB9M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RBKCS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jjs.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4UUQJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-T1J1I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jli.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-162RA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CSEKM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FF2ON.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-PFI2B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\addins\audiodg.exe Jump to dropped file
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Creates an undocumented autostart registry key
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates autostart registry keys to launch java
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 RegFiles0000 C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\java.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dllC:\Program Files (x86)\Arcane Ch Jump to behavior
Creates multiple autostart registry keys
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arcane Cheat Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arcane Cheat\Arcane Cheat.lnk Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.App Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\addins\audiodg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Memory allocated: 1AAB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\addins\audiodg.exe Memory allocated: 3050000 memory reserve | memory write watch
Source: C:\Windows\addins\audiodg.exe Memory allocated: 1B260000 memory reserve | memory write watch
Source: C:\Windows\addins\audiodg.exe Memory allocated: 7B0000 memory reserve | memory write watch
Source: C:\Windows\addins\audiodg.exe Memory allocated: 1A4F0000 memory reserve | memory write watch
Source: C:\Recovery\explorer.exe Memory allocated: 1090000 memory reserve | memory write watch
Source: C:\Recovery\explorer.exe Memory allocated: 1A9E0000 memory reserve | memory write watch
Source: C:\Recovery\explorer.exe Memory allocated: C90000 memory reserve | memory write watch
Source: C:\Recovery\explorer.exe Memory allocated: 1A8D0000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\Recovery\explorer.exe Code function: 40_2_00007FFD9BA90525 sldt word ptr [eax] 40_2_00007FFD9BA90525
Contains long sleeps (>= 3 min)
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\addins\audiodg.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Window / User API: threadDelayed 1195 Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Window / User API: threadDelayed 997 Jump to behavior
Source: C:\Windows\addins\audiodg.exe Window / User API: threadDelayed 367
Source: C:\Recovery\explorer.exe Window / User API: threadDelayed 365
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1810
Source: C:\Recovery\explorer.exe Window / User API: threadDelayed 367
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1788
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1967
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1804
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DQ2M9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KH7DR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VNH60.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M0CO5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9OG1R.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CKDJ7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9PAS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsdt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GMKU6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7KMRP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-HUQAI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MH2RS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7HO40.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6IE0O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4VJ8E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\management.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1EODK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfr.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KP5B8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\keytool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MITQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G6G2A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FKC0I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\nio.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DLMB6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-I5RLV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KL3UV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\npjp2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-17AF0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LUGNS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-L2DJE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-U0SIJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TH2Q9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5VJPG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\klist.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SGAAD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2native.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-P9144.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV1CO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ML2GN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_common.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AASG5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VI3JJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\mlib_image.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-QS1JT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.cpl (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-78EDT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DCG3E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_sw.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunmscapi.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ktab.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9PR86.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M6OGV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F8M96.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-94OVM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O5MSC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F39U2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0TC1S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\tnameserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1NNTS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\w2k_lsa_auth.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FLHTG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-D49GQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RJ8O6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6TBSI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\lcms.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jpeg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3CGHC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G1B5Q.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C92NJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S4T07.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9B0I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-23BHM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DK2B0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8BCTR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jdwp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LS3UA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsoundds.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OMDGH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M8DR9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxmedia.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\resource.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\kcms.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1D9V4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TJN2U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RKJ6P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssv.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-OVE01.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6EJKR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-H7O6N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_d3d.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-7TEQQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8GHN8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GFQTQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2launcher.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FDP9A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\t2k.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\msvcr100.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RPV0O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\npt.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\npdeployJava1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-1RSEV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-069DQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KFFNG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3TU72.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-NE044.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FA3UT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7LLC2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssvagent.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-90393.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O1CKK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2ssv.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\deployJava1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\servertool.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2KSRS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MV7G1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F27BH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-11A56.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RBKCS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RMB9M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jjs.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4UUQJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-T1J1I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jli.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-162RA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FF2ON.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CSEKM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-PFI2B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dll (copy) Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 2180 Thread sleep count: 1195 > 30 Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 2180 Thread sleep count: 997 > 30 Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 6268 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 4904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\addins\audiodg.exe TID: 5164 Thread sleep count: 304 > 30
Source: C:\Windows\addins\audiodg.exe TID: 8548 Thread sleep count: 367 > 30
Source: C:\Windows\addins\audiodg.exe TID: 7240 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\explorer.exe TID: 2500 Thread sleep count: 365 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740 Thread sleep count: 1750 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8260 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736 Thread sleep count: 1810 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8252 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Recovery\explorer.exe TID: 3372 Thread sleep count: 367 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944 Thread sleep count: 1788 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8228 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116 Thread sleep count: 1967 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144 Thread sleep count: 1804 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep time: -1844674407370954s >= -30000s
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\addins\audiodg.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\addins\audiodg.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\explorer.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\explorer.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_0082A5F4
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_0083B8E0
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083DD72 VirtualQuery,GetSystemInfo, 3_2_0083DD72
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\addins\audiodg.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: browserwinsvc.exe, 00000007.00000002.1948355180.000000001C2F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AutoItXxJ
Source: browserwinsvc.exe, 00000007.00000002.1947183113.000000001C24D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\?
Source: is-KHA4M.tmp.2.dr Binary or memory string: java/lang/VirtualMachineError
Source: is-KHA4M.tmp.2.dr Binary or memory string: Unable to link/verify VirtualMachineError class
Source: wscript.exe, 00000004.00000003.1746564462.0000000003066000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: browserwinsvc.exe, 00000007.00000002.1948011318.000000001C2DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\7K
Source: browserwinsvc.exe, 00000007.00000002.1947897628.000000001C2C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}KH
Source: is-KHA4M.tmp.2.dr Binary or memory string: m{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Source: browserwinsvc.exe, 00000007.00000002.1947183113.000000001C24D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1728515342.000000000741F000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000000.1747946280.0000000000572000.00000002.00000001.01000000.0000000E.sdmp, RuntimeBroker.exe.7.dr Binary or memory string: tHGfSGePnSN5loNOcfS
Source: is-KHA4M.tmp.2.dr Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: browserwinsvc.exe, 00000007.00000002.1943088220.000000001BA26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0084866F
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084753D mov eax, dword ptr fs:[00000030h] 3_2_0084753D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084B710 GetProcessHeap, 3_2_0084B710
Enables debug privileges
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\addins\audiodg.exe Process token adjusted: Debug
Source: C:\Windows\addins\audiodg.exe Process token adjusted: Debug
Source: C:\Recovery\explorer.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Recovery\explorer.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083F063 SetUnhandledExceptionFilter, 3_2_0083F063
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0083F22B
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0084866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0084866F
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0083EF05
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
Source: C:\Users\user\Desktop\uChcvn3L6R.exe Process created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe" Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe' Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Process created: unknown unknown Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083ED5B cpuid 3_2_0083ED5B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: GetLocaleInfoW,GetNumberFormatW, 3_2_0083A63C
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Queries volume information: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe VolumeInformation Jump to behavior
Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\addins\audiodg.exe Queries volume information: C:\Windows\addins\audiodg.exe VolumeInformation
Source: C:\Windows\addins\audiodg.exe Queries volume information: C:\Windows\addins\audiodg.exe VolumeInformation
Source: C:\Recovery\explorer.exe Queries volume information: C:\Recovery\explorer.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Recovery\explorer.exe Queries volume information: C:\Recovery\explorer.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0083D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 3_2_0083D5D4
Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe Code function: 3_2_0082ACF5 GetVersionExW, 3_2_0082ACF5
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2514657098.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2426637115.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2381409608.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: browserwinsvc.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 7080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 3196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1196, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2514657098.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.2426637115.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2381409608.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: browserwinsvc.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 7080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: audiodg.exe PID: 3196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 6092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1196, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447650 Sample: uChcvn3L6R.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 92 80 ip-api.com 2->80 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Found malware configuration 2->88 90 15 other signatures 2->90 12 uChcvn3L6R.exe 3 2->12         started        15 audiodg.exe 2->15         started        17 audiodg.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 68 C:\Users\user\...\Arcane CheatSetup.exe, PE32 12->68 dropped 70 C:\Users\user\AppData\...\Arcane Cheat.exe, PE32 12->70 dropped 21 Arcane Cheat.exe 3 6 12->21         started        24 Arcane CheatSetup.exe 2 12->24         started        process6 file7 64 C:\...\browserwinsvc.exe, PE32 21->64 dropped 26 wscript.exe 1 21->26         started        66 C:\Users\user\...\Arcane CheatSetup.tmp, PE32 24->66 dropped 29 Arcane CheatSetup.tmp 23 247 24->29         started        process8 file9 102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->102 104 Suspicious execution chain found 26->104 32 cmd.exe 1 26->32         started        72 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 29->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->74 dropped 76 C:\...\unins000.exe (copy), PE32 29->76 dropped 78 189 other files (none is malicious) 29->78 dropped 106 Creates autostart registry keys to launch java 29->106 signatures10 process11 process12 34 browserwinsvc.exe 23 20 32->34         started        39 conhost.exe 32->39         started        dnsIp13 82 ip-api.com 208.95.112.1, 49730, 49731, 80 TUT-ASUS United States 34->82 56 C:\Windows\addins\audiodg.exe, PE32 34->56 dropped 58 C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe, PE32 34->58 dropped 60 C:\...\qiOZcVoixJLcuAFKAnRd.exe, PE32 34->60 dropped 62 5 other files (3 malicious) 34->62 dropped 92 Creates an undocumented autostart registry key 34->92 94 Creates multiple autostart registry keys 34->94 96 Creates an autostart registry key pointing to binary in C:\Windows 34->96 98 4 other signatures 34->98 41 powershell.exe 34->41         started        44 powershell.exe 34->44         started        46 powershell.exe 34->46         started        48 3 other processes 34->48 file14 signatures15 process16 signatures17 100 Loading BitLocker PowerShell Module 41->100 50 conhost.exe 41->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown